By: Peter Girnus, Aliakbar Zahravi June 09, 2023 Read time: 3 min (681 words)
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
UPDATE as of 6/15/2023 7:30PM (PHT): We’ve updated this entry to include indicators of compromise (IOCs) for BatCloak.
In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances. Running analysis and sample collection from September 2022 to June 2023, we found that these batch files are designed to be fully undetectable (FUD) and have demonstrated a remarkable ability to persistently evade security solutions. As a result, threat actors can load various malware families and exploits by leveraging highly obfuscated batch files seamlessly. Our initial research titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression” delves into the continuing evolution of BatCloak, uncovering the modifications that have propelled modern malware to new levels of security evasion.
This is the first entry in a three-part technical research series taking an in-depth look at the continuing evolution of the highly evasive batch obfuscation engine BatCloak. The second part of this series, “SeroXen Incorporates Latest BatCloak Engine Iteration,” will look into the remote access trojan (RAT) SeroXen, a piece of malware gaining popularity for its stealth and, in its latest iterations, targets gamers, enthusiast communities, and organizations. Aside from the RAT’s own tools, we will look into the updated BatCloak engine included as SeroXen’s loading mechanism. The third and last part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” will detail the distribution mechanisms of SeroXen and BatCloak. We also include our security insights on the community and demographic impact of this level of sophistication when it comes to batch FUD obfuscation.
Defying detection: A preview of BatCloak engine’s efficacy
We analyzed hundreds of batch samples sourced from a public repository. The results showed a staggering 80% of the retrieved samples exhibiting zero detections from security solutions. This finding underscores the ability of BatCloak to evade traditional detection mechanisms employed by security providers. Moreover, when considering the overall sample set of 784, the average detection rate was less than one, emphasizing the challenging nature of identifying and mitigating threats associated with BatCloak-protected pieces of malware.
Figure 1. BatCloak detection counts from a public repository; samples and detection results collected from September 2022 to June 2023
Understanding the evolving landscape of advanced malware techniques such as FUD obfuscator BatCloak enables us to develop more effective strategies for combating the ever-evolving threats posed by these sophisticated adversaries. These findings highlight the pressing need for enhanced approaches to malware detection and prevention, such as a cutting-edge multilayered defensive strategy and comprehensive security solutions.
Security teams and organizations are advised to exercise a zero-trust approach. Teams should implement solutions capable of combining multiple rules, filters, and analysis techniques, including data stacking and machine learning to address the need for precise detection, as these tools can analyze individual and dynamic file signatures and observe patterns via heuristics and behavioral analysis. When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Multilayered technologies and solutions, such as Trend Micro XDR™️, efficiently monitor, detect, and block tiered threats and attacks, as well as their clones and modified versions.
Instead of marking the end of an infection or an attack prior to the target because of siloed solutions, an extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Trend Vision One also correlates with a connected threat intelligence system and rapidly prioritizes and responds with the necessary security and defensive actions as far left of the routine as possible.
Download the first part of our analysis on BatCloak engine here, and the indicators of compromise (IOCs) here and below :
By: Lucas Silva, RonJay Caragay, Arianne Dela Cruz, Gabriel Cardoso June 30, 2023 Read time: 7 min (1889 words)
Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.
Advertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales. Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware.
The targeted organization conducted a joint investigation with the Trend team and discovered that cybercriminals performed the following unauthorized and malicious activities within the company’s network:
Stole top-level administrator privileges and used these privileges to conduct unauthorized activities
Attempted to establish persistence and backdoor access to the customer environment using remote management tools like AnyDesk
Attempted to steal passwords and tried to access backup servers
It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence.
The following chart represents how the infection starts.
Figure 1. Infection chain of the observed attack
In the following sections, we discuss the details of this case: how threat actors made the initial access, what kind of attacks they carried out, and the lessons that can be drawn from this event.
Deep dive into the infection chain
The infection starts once the user searches for “WinSCP Download” on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer.
Figure 2. A suspicious site from a malvertisement
From this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user selects the “Download” button, an ISO file is downloaded from an infected WordPress webpage (hxxps://events.drdivyaclinic[.]com). Recently, the malicious actor changed their final stage payload URL to the file-sharing service 4shared.
Figure 3. Malicious download site
The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor.
In summary, the malicious actor uses the following malvertising infection chain:
A user searches for an application by entering a search term in a search bar (such as Google or Bing). In this example, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the Bing search bar.
Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a malicious website.
Once the user selects the “Download” button, this begins the download of an ISO file to their system.
On Twitter, user @rerednawyerg first spotted the same infection chain mimicking the AnyDesk application. Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. We list the details of these two files here:
Setup.exe: A renamed msiexec.exe executable
Msi.dll: A delayed-loaded DLL (not loaded until a user’s code attempts to reference a symbol contained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons.
Figure 4. The files downloaded once a user mounts the ISO
Once setup.exe is executed, it will call the msi.dll that will later extract a Python folder from the DLL RCDATA section as a real installer for WinSCP to be installed on the machine. Two installations of Python3.10 will be created — a legitimate python installation in %AppDataLocal%\Python-3.10.10 and another installation in %Public%\Music\python containing a trojanized python310.dll. Finally, the DLL will create a persistence mechanism to make a run key named “Python” and the value C:\Users\Public\Music\python\pythonw.exe.
Figure 5. The run key named “Python”
When the executable pythonw.exe starts, it loads a modified/trojanized obfuscated python310.dll that contains a Cobalt Strike beacon that connects to 167[.]88[.]164[.]141.
The following command-and-control (C&C) servers are used to obtain the main beacon module:
File name
C&C
pp.py
hxxps://167.88.164.40/python/pp2
work2.py
hxxps://172.86.123.127:8443/work2z
work2-2.py
hxxps://193.42.32.58:8443/work2z
work3.py
hxxps://172.86.123.226:8443/work3z
Multiple scheduled tasks executing batch files for persistence were also created in the machine. These batch files execute Python scripts leading to in-memory execution of Cobalt Strike beacons. Interestingly, the Python scripts use the marshal module to execute a pseudo-compiled (.pyc) code that is leveraged to download and execute the malicious beacon module in memory.
The Trend Vision One™ platform was able to generate the following Workbench for the previously mentioned kill chain.
Figure 6. Kill chain for the executed malware
The threat actor used a few other tools for discovery in the customer’s environment. First, they used AdFind, a tool designed to retrieve and display information from Active Directory (AD) environments. In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction.
In this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName. The command specifies that it wants to retrieve the values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and output its result in a CSV format.
The threat actor used the following PowerShell command to gather user information and to save it into a CSV file:
We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Although the threat actor’s purpose for using the tool in this instance is not clear, it should be noted that the tool can be used for gaining insights on what permissions are assigned to users and groups, as well as for privilege escalation and the identification of files, directories, or services with weak access control settings.
The threat actor then used findstr, a command-line tool in Windows used for searching strings or regular expressions within files by using the command findstr /S /I cpassword \\<REDACTED>\sysvol\<REDACTED>\policies\*.xml.
It is possible that the purpose of this command is to identify any XML files that contain the string cpassword. This is interesting from a security context since cpassword is associated with a deprecated method of storing passwords in Group Policy Preferences within AD.
Figure 7. How finsdtr is used in the attack
We also observed the execution of scripts with PowerShell. For instance, the command IEX (New-Object Net.Webclient).DownloadString(‘hxxp://127[.]0[.]0[.]1:40347/’); Invoke-FindLocalAdminAccess -Thread 50” it invokes a PowerShell function called Invoke-FindLocalAdminAccess and passes the parameter -Thread with a value of 50. This function is likely part of a script that performs actions related to finding local administrator access on a system.
Another PowerShell script used by the threat actor was PowerView. PowerView, which belongs to the PowerSploit collection of scripts used to assist in penetration testing and security operations, focuses on AD reconnaissance and enumeration and is commonly used by threat actors to gather information about the AD environment.
PowerShell Expand-Archive command was used to extract the ZIP files.
WMI was used to launch CoBeacon remotely across the environment.
C:\WINDOWS\system32\cmd.exe /C wmic /NODE:”<REDACTED>” process call createC:\users\public\videos\python\pythonw.exe C:\users\public\videos\python\work2-2.py
To obtain high-privileged credentials and escalate privileges, the threat actor used a Python script also containing the marshal module to execute a pseudo-compiled code for LaZagne. Another script to obtain Veeam credentials following the same structure was also identified in the environment.
PsExec, BitsAdmin, and curl were used to download additional tools and to move laterally across the environment.
The threat actor dropped a detailed KillAV BAT script (KillAV is a type of malicious software specifically designed to disable or bypass antivirus or antimalware programs installed on a target system) to tamper with Trend protections. However, due to the agent’s Self-Protection features and VSAPI detections, the attempt failed. The threat actors also made attempts to stop Windows Defender through a different KillAV BAT script.
Finally, the threat actor installed the AnyDesk remote management tool (renamed install.exe) in the environment to maintain persistence.
Figure 8. Remote management tool installed for persistence
After a diligent and proactive response, the attacker was successfully evicted from the network before they could reach their goal or execute their final payload. The incident response team also presented immediate countermeasures as well as medium- and long-term security procedures for implementation.
BlackCat uses the same tools, techniques, and procedures (TTPs)
In another investigation, following the same TTPs described previously described, we were able to identify that this activity led to a BlackCat (aka ALPHV) infection. Along with other types of malware and tools already mentioned, we were able to identify the use of the anti-antivirus or anti-endpoint detection and response (EDR) SpyBoyterminator in an attempt to tamper with protection provided by agents.
In order to exfiltrate the customer data, the threat actor used PuTTY Secure Copy client (PSCP) to transfer the gathered information. Investigating one of the C&C domains used by the threat actor behind this infection also led to the discovery of a possible related Cl0p ransomware file.
Figure 9. Files indicating possible Cl0p ransomware file
Conclusion and recommendations
In recent years, attackers have become increasingly adept at exploiting vulnerabilities that victims themselves are unaware of and have started employing behaviors that organizations do not anticipate. In addition to a continuous effort to prevent any unauthorized access, early detection and response within an organization’s network is critical. Immediacy in remediation is also essential, as delays in reaction time could lead to serious damage.
By understanding attack scenarios in detail, organizations can not only identify vulnerabilities that could lead to compromise and critical damage but also take necessary measures to prevent them.
Organizations can protect themselves by taking the following security measures:
Educate employees about phishing. Conduct training sessions to educate employees about phishing attacks and how to identify and avoid them. Emphasize the importance of not selecting suspicious links and not downloading files from unknown sources.
Monitor and log activities. Implement a centralized logging system to collect and analyze logs from various network devices and systems. Monitor network traffic, user activities, and system logs to detect any unusual or suspicious behavior.
Define normal network traffic for normal operations. Defining normal network traffic will help identify abnormal network traffic, such as unauthorized access.
Improve incident response and communication. Develop an incident response plan to guide your organization’s response in case of future breaches. Establish clear communication channels to inform relevant stakeholders, including employees, customers, and regulatory bodies, about a breach and the steps being taken to address it.
Engage with a cybersecurity professional. If your organization lacks the expertise or resources to handle the aftermath of a breach effectively, consider engaging with a reputable cybersecurity firm to assist with incident response, forensic analysis, and security improvements.
Indicators of Compromise (IOCs)
The full list of IOCs can be found here and below :
CDNs help keep Microsoft 365 fast and reliable for end users. Cloud services like Microsoft 365 use CDNs to cache static assets closer to the browsers requesting them to speed up downloads and reduce perceived end user latency. The information in this topic will help you learn about Content Delivery Networks (CDNs) and how they’re used by Microsoft 365.
What exactly is a CDN?
A CDN is a geographically distributed network consisting of proxy and file servers in datacenters connected by high-speed backbone networks. CDNs are used to reduce latency and load times for a specified set of files and objects in a web site or service. A CDN may have many thousands of endpoints for optimal servicing of incoming requests from any location.
CDNs are commonly used to provide faster downloads of generic content for a web site or service such as Javascript files, icons and images, and can also provide private access to user content such as files in SharePoint Online document libraries, streaming media files, and custom code.
CDNs are used by most enterprise cloud services. Cloud services like Microsoft 365 have millions of customers downloading a mix of proprietary content (such as emails) and generic content (such as icons) at one time. It’s more efficient to put images everyone uses, like icons, as close to the user’s computer as possible. It isn’t practical for every cloud service to build CDN datacenters that store this generic content in every metropolitan area, or even in every major Internet hub around the world, so some of these CDNs are shared.
How do CDNs make services work faster?
Downloading common objects like site images and icons over and over again can take up network bandwidth that can be better used for downloading important personal content, like email or documents. Because Microsoft 365 uses an architecture that includes CDNs, the icons, scripts, and other generic content can be downloaded from servers closer to client computers, making the downloads faster. This means faster access to your personal content, which is securely stored in Microsoft 365 datacenters.
CDNs help to improve cloud service performance in several ways:
CDNs shift part of the network and file download burden away from the cloud service, freeing up cloud service resources for serving user content and other services by reducing the need to serve requests for static assets.
CDNs are purpose built to provide low-latency file access by implementing high performance networks and file servers, and by leveraging updated network protocols such as HTTP/2 with highly efficient compression and request multiplexing.
CDN networks use many globally distributed endpoints to make content available as close as possible to users.
The Microsoft 365 CDN
The built-in Microsoft 365 Content Delivery Network (CDN) allows Microsoft 365 administrators to provide better performance for their organization’s SharePoint Online pages by caching static assets closer to the browsers requesting them, which helps to speed up downloads and reduce latency. The Microsoft 365 CDN uses the HTTP/2 protocol for improved compression and download speeds.
Note
The Microsoft 365 CDN is only available to tenants in the Production (worldwide) cloud. Tenants in the US Government, China and Germany clouds do not currently support the Microsoft 365 CDN.
The Microsoft 365 CDN is composed of multiple CDNs that allow you to host static assets in multiple locations, or origins, and serve them from global high-speed networks. Depending on the kind of content you want to host in the Microsoft 365 CDN, you can add public origins, private origins or both.
Content in public origins within the Microsoft 365 CDN is accessible anonymously, and can be accessed by anyone who has URLs to hosted assets. Because access to content in public origins is anonymous, you should only use them to cache non-sensitive generic content such as Javascript files, scripts, icons and images. The Microsoft 365 CDN is used by default for downloading generic resource assets like the Microsoft 365 client applications from a public origin.
Private origins within the Microsoft 365 CDN provide private access to user content such as SharePoint Online document libraries, sites and proprietary images. Access to content in private origins is secured with dynamically generated tokens so it can only be accessed by users with permissions to the original document library or storage location. Private origins in the Microsoft 365 CDN can only be used for SharePoint Online content, and you can only access assets through redirection from your SharePoint Online tenant.
The Microsoft 365 CDN service is included as part of your SharePoint Online subscription.
Although not a part of the Microsoft 365 CDN, you can use these CDNs in your Microsoft 365 tenant for access to SharePoint development libraries, custom code and other purposes that fall outside the scope of the Microsoft 365 CDN.
Azure CDN
Note
Beginning in Q3 2020, SharePoint Online will begin caching videos on the Azure CDN to support improved video playback and reliability. Popular videos will be streamed from the CDN endpoint closest to the user. This data will remain within the Microsoft Purview boundary. This is a free service for all tenants and it does not require any customer action to configure.
You can use the Azure CDN to deploy your own CDN instance for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription.
Microsoft’s Ajax CDN is a read-only CDN that offers many popular development libraries including jQuery (and all of its other libraries), ASP.NET Ajax, Bootstrap, Knockout.js, and others.
To include these scripts in your project, simply replace any references to these publicly available libraries with references to the CDN address instead of including it in your project itself. For example, use the following code to link to jQuery:
For more information about how to use the Microsoft Ajax CDN, see Microsoft Ajax CDN.
How does Microsoft 365 use content from a CDN?
Regardless of what CDN you configure for your Microsoft 365 tenant, the basic data retrieval process is the same.
Your client (a browser or Office client application) requests data from Microsoft 365.
Microsoft 365 either returns the data directly to your client or, if the data is part of a set of content hosted by the CDN, redirects your client to the CDN URL.a. If the data is already cached in a public origin, your client downloads the data directly from the nearest CDN location to your client.b. If the data is already cached in a private origin, the CDN service checks your Microsoft 365 user account’s permissions on the origin. If you have permissions, SharePoint Online dynamically generates a custom URL composed of the path to the asset in the CDN and two access tokens, and returns the custom URL to your client. Your client then downloads the data directly from the nearest CDN location to your client using the custom URL.
If the data isn’t cached at the CDN, the CDN node requests the data from Microsoft 365 and then caches the data for time after your client downloads the data.
The CDN figures out the closest datacenter to the user’s browser and, using redirection, downloads the requested data from there. CDN redirection is quick, and can save users a lot of download time.
How should I set up my network so that CDNs work best with Microsoft 365?
Minimizing latency between clients on your network and CDN endpoints is the key consideration for ensuring optimal performance. You can use the best practices outlined in Managing Microsoft 365 endpoints to ensure that your network configuration permits client browsers to access the CDN directly rather than routing CDN traffic through central proxies to avoid introducing unnecessary latency.
Is there a list of all the CDNs that Microsoft 365 uses?
The CDNs in use by Microsoft 365 are always subject to change and in many cases there are multiple CDN partners configured in the event one is unavailable. The primary CDNs used by Microsoft 365 are:
CDN
Company
Usage
Link
Microsoft 365 CDN
Microsoft Azure
Generic assets in public origins, SharePoint user content in private origins
There are many factors involved in measuring specific differences in performance between data downloaded directly from Microsoft 365 and data downloaded from a specific CDN, such as your location relative to your tenant and to the nearest CDN endpoint, the number of assets on a page that are served by the CDN, and transient changes in network latency and bandwidth. However, a simple A/B test can help to show the difference in download time for a specific file.
The following screenshots illustrate the difference in download speed between the native file location in Microsoft 365 and the same file hosted on the Microsoft Ajax Content Delivery Network. These screenshots are from the Network tab in the Internet Explorer 11 developer tools. These screenshots show the latency on the popular library jQuery. To bring up this screen, in Internet Explorer, press F12 and select the Network tab, which is symbolized with a Wi-Fi icon.
This screenshot shows the library uploaded to the master page gallery on the SharePoint Online site itself. The time it took to upload the library is 1.51 seconds.
The second screenshot shows the same file delivered by Microsoft’s CDN. This time the latency is around 496 milliseconds. This is a large improvement and shows that a whole second is shaved off the total time to download the object.
Is my data safe?
We take great care to protect the data that runs your business. Data stored in the Microsoft 365 CDN is encrypted both in transit and at rest, and access to data in the Microsoft 365 SharePoint CDN is secured by Microsoft 365 user permissions and token authorization. Requests for data in the Microsoft 365 SharePoint CDN must be referred (redirected) from your Microsoft 365 tenant or an authorization token won’t be generated.
To ensure that your data remains secure, we recommend that you never store user content or other sensitive data in a public CDN. Because access to data in a public CDN is anonymous, public CDNs should only be used to host generic content such as web script files, icons, images and other non-sensitive assets.
Note
3rd party CDN providers may have privacy and compliance standards that differ from the commitments outlined by the Microsoft 365 Trust Center. Data cached through the CDN service may not conform to the Microsoft Data Processing Terms (DPT), and may be outside of the Microsoft 365 Trust Center compliance boundaries.
For in-depth information about privacy and data protection for Microsoft 365 CDN providers, visit the following:
Learn more about Microsoft 365 privacy and data protection at the Microsoft Trust Center
Learn more about Azure privacy and data protection at the Azure Trust Center
How can I secure my network with all these 3rd party services?
Using an extensive set of partner services allows Microsoft 365 to scale and meet availability requirements and enhance the user experience when using Microsoft 365. The 3rd party services Microsoft 365 leverages include both certificate revocation lists; such as crl.microsoft.com or sa.symcb.com, and CDNs; such as r3.res.outlook.com. Every CDN FQDN generated by Microsoft 365 is a custom FQDN for Microsoft 365. If you’re sent to a FQDN at the request of Microsoft 365, you can be assured that the CDN provider controls the FQDN and the underlying content at that location.
For customers that want to segregate requests destined for a Microsoft 365 datacenter from requests that are destined for a 3rd party, we’ve written up guidance on Managing Microsoft 365 endpoints.
Is there a list of all the FQDNs that leverage CDNs?
The list of FQDNs and how they leverage CDNs change over time. Refer to our published Microsoft 365 URLs and IP address ranges page to get up to date on the latest FQDNs that leverage CDNs.
Can I use my own CDN and cache content on my local network?
We’re continually looking for new ways to support our customers’ needs and are currently exploring the use of caching proxy solutions and other on-premises CDN solutions.
Although it isn’t a part of the Microsoft 365 CDN, you can also use the Azure CDN for hosting custom web parts, libraries and other resource assets, which allows you to apply access keys to your CDN storage and exert greater control over your CDN configuration. Use of the Azure CDN isn’t free, and requires an Azure subscription. For more information on how to configure an Azure CDN instance, see Quickstart: Integrate an Azure storage account with Azure CDN.
I’m using Azure ExpressRoute for Microsoft 365, does that change things?
Azure ExpressRoute for Microsoft 365 provides a dedicated connection to Microsoft 365 infrastructure that is segregated from the public internet. This means that clients will still need to connect over non-ExpressRoute connections to connect to CDNs and other Microsoft infrastructure that isn’t explicitly included in the list of services supported by ExpressRoute. For more information about how to route specific traffic such as requests destined for CDNs, see Implementing ExpressRoute for Microsoft 365.
Can I use CDNs with SharePoint Server on-premises?
Using CDNs only makes sense in a SharePoint Online context and should be avoided with SharePoint Server. This is because all of the advantages around geographic location don’t hold true if the server is located on-premises or geographically close anyway. Additionally, if there’s a network connection to the servers where it’s hosted, then the site may be used without an Internet connection and therefore can’t retrieve the CDN files. Otherwise, you should use a CDN if there’s one available and stable for the library and files you need for your site.
A TeamViewer company profile allows the ability within the TeamViewer Management Consoleto manage user permissions and access centrally.
Company admins can add existing users to the license and create new TeamViewer accounts. Both will allow users to log into any TeamViewer application and license the device so they may make connections.
Before starting
It is highly recommended to utilize a Master Account for a company profile, which will be the account that manages all licenses and users.
Each company profile must have one TeamViewer Core multi-userlicense activated; this license can be combined with other licenses of the TeamViewer product family (e.g., Assist AR, Remote Management, IoT, etc. ), but cannot be combined with another TeamViewer Core license.
📌Note: If a company admin attempts to activate a second TeamViewer license, they will need to choose between keeping the existing license or replacing it with the new license.
📌Note: In some cases (with older company profiles and an active perpetual license), multiple core TeamViewer licenses may be activated to one company profile. One subscription license may be added to an existing perpetual license for such company profiles.
License management
Through the TeamViewer Management Console, company admins can manage the licensing of their users directly, including:
Assign/un-assign the license to various members of the company profile.
Reserve one or more channels for specific teams or persons via Channel Groups.
💡Hint: To ensure the license on your company profile best matches your use case, we highly recommend reaching out to our TeamViewer licensing experts.You may find local numbers here.
How to create a company profile
To create a company profile, please follow the instructions below:
On the left-hand side, under the Company header, select User management
In the text box provided, enter the desired company name and click Create.
📌Note: The name of a company profile must be unique and cannot be re-used. If another company profile already uses a name, an error will appear, requesting another name be used instead.
Once the company profile is created, User management will load with the user that created the company profile as a company administrator.
How to add a new user
To add a new user, please follow the instructions below:
Under User management, click the icon of a person with a + sign. Click on Add user.
On the General tab, add the user’s name and email address and enter a password for the user and click Add user.
💡Hint: Other settings for the user can be adjusted under Advanced, Licenses, and Permissions.
The user will now appear under the User management tab. An email is sent to the user with instructions on activating their account.
📌Note: If the user does not activate their account via email, they will receive an error that the account has not yet been activated when trying to sign in.
How to add an existing user
Users that already have an existing TeamViewer account can request to join a company profile using a few simple steps:
Under User management, click the icon of a person with a + sign. Select Add existing account.
Once the user opens the link within a browser, they must sign in with their TeamViewer account. Once logged in, they will be prompted to enter the email address of the company administrator. Once completed, they must tick the box I allow to transfer my account and click Join Company.
The company admin will receive a join request via email. The user will appear in user management, where the company admin can approve or decline the addition of the user to the company profile
📌Notes:
Every user that joins a company profile will be informed that the company admin will take over full management of their account, including the ability to connect to and control all their devices. It is recommended never to join a company profile the user does not know or fully trust.
A user can only be part of one company profile.
How to set user permissions
Users of a company profile have multiple options that can be set by the current company admin, including promoting other users to administrator or company administrator. Permissions are set for each user individually. To access user permissions:
In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. Click this menu and select Edit user from the drop-down.
Once in Edit user, select the Permissions tab. Overall permissions for the account can be changed using the drop-down under the Role header.
Four options are available:
Company administrator: Can make changes to company settings, other administrator accounts, and user accounts.
User administrator: Can make changes to other user accountsbut cannot change company settings or company administrator accounts.
Member: Cannot change the company profile or other users.
Customized permissions: The company admin sets permissions for each aspect of the account.
Once the appropriate role is selected, click Save in the window’s upper-left corner.
📌Note: Changes to user permissions are automatic once saved.
How to remove/deactivate/delete users
Along with adding new or existing accounts, company admins can remove, deactivate, or even delete users from the company profile.
📌Note: A current company admin of that license can only remove a TeamViewer account currently connected to a company profile. TeamViewer Customer Support is unable to remove any account from a company profile.
To remove, deactivate or delete an account, please follow the instructions below:
In the User management tab, hovering the cursor over the desired user’s account will produce a three-dots menu (⋮) to the far right of the account. In the drop-down menu that appears are the three options
Select Delete account, Remove user or Deactivate user.
Consequences of deleting an account
When an account is deleted, the account is not only removed from the company profile but deleted from TeamViewer altogether. The user can no longer use the account or access any information associated with it as it no longer exists.
📌Note: When an account is deleted, the email address associated with the account can be re-used to create a new TeamViewer account.
When a TeamViewer account is deleted from a company profile:
Connection reports, custom modules, and TeamViewer/Remote management policies will be transferred to the current company admin.
Web API Tokens for the deleted user are logged out, and their company functionality is removed
License activations are removed from the deleted user’s account
Shared groups from the deleted user’s account are deleted.
Once the company admin checks the box to confirm that this process cannot be undone, the Delete account button becomes available. Once pressed, the account is deleted.
📌Note: Deletion of any TeamViewer account deletion is irreversible. Only a new account can be created after deletion. All user data will be lost.
Remove user
When an account is removed, the account is removed from the company profile and reverted to a free TeamViewer account. The account is reverted to a free account, and the user is still able to log in with the account. All information associated with the account is still accessible.
When an account is removed from a company profile:
Connection reports, custom modules, and TeamViewer /Remote management policies will be transferred to the current company admin.
Contacts in the contact bookare transferred to the current company admin
Web API Tokens for the user’s account are logged out and their company functionality is removed
License activations are removed from the user’s account
📌Note: Groups & devices in the Computers & Contacts of the removed user’s account are not affected. Any groups shared also will remain shared.
Once the company admin checks the box to confirm that this process cannot be undone, the Remove user button becomes available. Once pressed, the account is removed from the company profile and reverted to a free TeamViewer account.
📌Note: Once a user account is removed from the current company profile, it can request to join another company profile.
Deactivate user
When an account is deactivated, the account is reverted to inactive. The deactivated account is still associated with the company profile but cannot be used to log into TeamViewer on a free or licensed device. The account is rendered completely unusable.
📌Note: When an account is deactivated, the email address associated with the account cannot be used to create a new free TeamViewer account.
💡Hint: To view inactivated users within the company profile, select the drop-down menu under User Status and check the box for Inactive. All inactive users will now appear in user management.
How to reactivate inactive users
When Deactivate user is selected, the account disappears from user management. They are, however, still a part of the Company Profile and can be reactivated back to the license instantly at any time.
To view inactivated users within the company profile, select the menu under User Status and check the box for Inactive. All inactive users will now appear in user management.
Once the user is located, hover the cursor over the account. Select the three-dots menu (⋮) to the right of the user’s account and select Activate user
The user’s original permissions status is reverted, and the account can again be used with any TeamViewer device.
Troubleshooting
Below you will find answers to some common issues encountered when interacting with a company profile.
▹User(s) on a company profile show a free license
In some cases, older users on a company profile may appear as ‘free’ users, especially after upgrading or changing a license. The company admin can resolve this:
Click Company administration on the left-hand side:
Select the Licenses tab and locate the license. Hovering the cursor over the license will produce a three-dots menu (⋮). Click the menu and select Assign from the drop-down.
The users who show ‘free’ will appear in Unassigned. Select the desired users and click the Add button at the bottom of the page.
📌Note: Affected users should log out and then back in to see the licensing changes.
▹Your account is already associated with a company
If a user who is already associated with one company profile attempts to join another company profile, the following pop-up will appear:
The user’s account must be removed from the current company profile to resolve this. The steps required vary depending on whether it is their active or expired company profile or if they are associated with a company profile created by another account.
SCENARIO 1: As company administrator of an active company profile
If a user who created a company profile wishes to delete the company profile associated with their account, they will need to perform the following steps:
Remove all other accounts: Before deleting a company profile, the company admin must remove all other accounts. Perform these steps for each user on the company profile
Remove the company admin account: Once all other accounts have been removed, the company admin will remove their account. This will delete the company profile altogether
The user is immediately logged out and can now follow the process to add their account to an existing company profile
SCENARIO 2: As company administrator of an expired company profile
In some cases, the user may have created a company profile on an older license that is no longer used or active. In such cases, the company profile will appear as expired in the Management Console.
In such cases, it is still possible to delete the company profile:
Click Company administration on the left-hand side.
On the General tab, select Delete company.
A pop-up will appear confirming the request to delete the company profile. Check the box at the bottom to validate, and select Delete company.
SCENARIO 3: The account is a member of a company profile
📌Note: Only a company administrator can remove a user from their company profile – not even TeamViewer can remove a user from a company profile, regardless of the request’s origin.
If the user is a member of another company profile, they will need to contact the company admin of that license to request removal.
Once removed, they can then request to join the correct company profile.
You have the possibility to restrict remote access to your device by using the Block and Allowlist feature in the TeamViewer full version and the TeamViewer Host.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist.
Let´s begin with the difference between a blocklist and an allowlist.
This article applies to all TeamViewer (Classic) users.
What is a Blocklist?
The Blocklist generally lets you prevent certain partners or devices from establishing a connection to your computer. TeamViewer accounts or TeamViewer IDs on the blocklist cannot connect to your computer.
📌Note: You will still be able to set up outgoing TeamViewer sessions with partners on the blocklist.
What is an Allowlist?
If you add TeamViewer accounts to the Allowlist, only these accounts will be able to connect to your computer. The possibility of a connection to your computer through other TeamViewer accounts or TeamViewer IDs will be denied
If you have joined a company profile with your TeamViewer account, you can also place the entire company profile on the Allowlist. Thus only the TeamViewer accounts that are part of the company profile can access this device.
📌Note: To work with a company profile you will need a TeamViewer Premium or Corporate license
How to set up a Blocklist?
If you would like to deny remote access to your device to specific persons or TeamViewer IDs, we recommend setting up a Blocklist.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…
A new window will open. Activate the first option Deny access for the following partners and click on Add
📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Contacts from your blocklist are excluded from being able to join your meetings.
After clicking on Add, you can either choose partners saved on your Computers & Contacts list or add TeamViewer IDs/contacts manually to your blocklist.
How to set up an Allowlist?
If you would like to allow only specific TeamViewer accounts or TeamViewer IDs remote access to your device, we recommend setting up an Allowlist.
You can find the feature easily by clicking in your TeamViewer full version on the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure…
A new window will open. Activate the second option Allow access only for the following partners and click on Add
📌Note: If you activate the Also apply for meetings check box, these settings will also be applied to meetings. Only contacts from your allowlist will then be able to join your meetings.
After clicking on Add, you can either choose partners saved on your Computers & Contacts list, add TeamViewer IDs/contacts manually to your blocklist, or add the whole company you are part of (only visible if you are part of a company profile).
How to delete blocklisted/allowlisted partners?
If you no longer wish to have certain partners block or allowlisted, you can easily remove them from the list.
To do so navigate in your TeamViewer full version to the Gear icon (⚙) in the upper right corner of the TeamViewer (Classic) application, then Security ➜ Block and Allowlist ➜ Click on Configure… and choose whether you would like to remove partners from the Blocklist or from the Allowlist by choosing either Deny access for the following partners (Blocklist) or Allow access only for the following partner (Allowlist). Now click on the partners you would like to remove and finally click Remove ➜ OK
📌Note: You can choose multiple partners at once by pressing CTRG when clicking on the different partners.
This article provides a step-by-step guide to activating Two-factor authentication for connections (also known as TFA for connections).This feature enables you to allow or deny connections via push notifications on a mobile device.
This article applies to all Windows users using TeamViewer (Classic) 15.17 (and newer) and macOS and Linux users in version 15.22 (and newer).
What is Two-factor authentication for connections?
TFA for connections offers an extra layer of protection to desktop computers.
When enabled, connections to that computer need to be approved using a push notification sent to specific mobile devices.
Enabling Two-factor authentication for connections and adding approval devices
Windows and Linux:
1. In the TeamViewer (Classic) application, click the gear icon at the top right menu.
2. Click on the Security tab on the left.
3. You will find the Two-factor authentication for connections section at the bottom.
4. Click on Configure… to open the list of approval devices.
5. To add a new mobile device to receive the push notifications, click Add.
6. You will now see a QR code that needs to be scanned by your mobile device.
Below please find a step-by-step gif for Windows, Linux, and macOS:
Windows
Linux
macOS
7. On the mobile device, download and install the TeamViewer Remote Control app:
8. In the TeamViewer Remote Control app, go to Settings → TFA for connections.
9. You will see a short explanation and the option to open the camera to scan the QR code.
10. Tap on Scan QR code and you will be asked to give the TeamViewer app permission to access the camera.
11. After permission is given, the camera will open. Point the camera at the QR code on the desktop computer (see Step 6 above).
12. The activation will happen automatically, and a success message will be displayed.
13. The new device is now included in the list of approval devices.
14. From now on, any connection to this desktop computer will need to be approved using a push notification.
📌 Note:TFA for connections cannot be remotely disabled if the approval device is not accessible. Due to this, we recommend setting up an additional approval device as a backup.
Removing approval devices
1. Select an approval device from the list and click Remove or the X.
2. You will be asked to confirm the action.
3. By clicking Remove again, the mobile device will be removed from the list of approval devices and won’t receive any further push notifications.
4. If the Approval devices list is empty, Two-factor authentication for connections will be completely disabled.
Below please find a step by step gif for Windows, Linux and macOS:
▹ Windows:
▹ Linux:
▹ macOS:
Remote connections when Two-factor authentication for connections is enabled
TFA for connections does not replace any existing authentication method. When enabled, it adds an extra security layer against unauthorized access.
When connecting to a desktop computer protected by TFA for connections, a push notification will be sent to all of the approval devices.
You can either:
accept/deny the connection request via the system notification:
accept/deny the connection request by tapping the TeamViewer notification. It will lead to you the following screen within the TeamViewer application to accept/deny the connection:
Multiple approval devices
All approval devices in the list will receive a push notification.
The first notification that is answered on any of the devices will be used to allow or deny the connection.
TeamViewer offers the possibility to activate Account Recovery based on the zero-trust principle.
This is a major security enhancement for your TeamViewer account and a unique offering on the market.
This article applies to all users.
What is Zero Knowledge Account Recovery
In cases where you cannot remember your TeamViewer Account credentials, you click on I forgot my password, which triggers an email with a clickable link that leads you to the option of resetting your password.
The regular reset process leads you to a page where you can set a new password for your account.
The Zero Knowledge Account Recovery acts as another layer of security for this process as the reset process requires you to enter the unique 64 characters Zero Knowledge Account Recovery Code for your account to prove your identity. Important to note is that this happens without any intervention and knowledge of the TeamViewer infrastructure.
Activate Zero Knowledge Account Recover
To activate Zero Knowledge Account Recovery please follow the steps below:
2. Click Edit profile under your profile name (upper right corner).
3. Go to Security in the left menu
4. Click the Activate Zero knowledge account recovery button
📌 Note: The password recovery code is a unique 64 characters code that allows you to regain access if you forgot your password. It is absolutely essential that you print/download your recovery code and keep this in a secure place.
⚠ IMPORTANT: Without the recovery code you won’t be able to recover your account. Access to your account will be irreversibly lost. The data is encrypted with the key and you are the only owner of this key. TeamViewer has no access to it.
5. A PopUp window appears sharing the above information. Click on Generate Recovery Code to proceed.
6. The Recovery Code is shown. You have to download or print the code as well as you tick the check box confirming that you acknowledge and understand that if you lose your zero knowledge account recovery code, you won’t be able to recover your password and you will lose access to your account forever
⚠ Do not tick the box unless you understand the meaning.
7. Once you either downloaded or printed the recovery code and ticked the acknowledge box, you can activate the Zero knowledge account recovery by clicking Activate.
Deactivate Zero Knowledge Account Recovery
To deactivate Zero Knowledge Account Recovery please follow the steps below:
2. Click Edit profile under your profile name (upper right corner).
3. Go to Security in the left menu
4. Click the Deactivate Zero knowledge account recovery button
5. A PopUp appears. You have to tick the check box confirming that you acknowledge and understand that if you will be deactivating your zero knowledge account recovery
6. Click Deactivate to deactivate the Zero Knowledge Account recovery for your TeamViewer Account.
Reset your password
To reset your password for your TeamViewer account, please follow the steps below: (More info here: Reset account password)
TeamViewer is designed to connect easily to remote computers without any special firewall configurations being necessary.
This article applies to all users in all licenses.
In the vast majority of cases, TeamViewer will always work if surfing on the internet is possible. TeamViewer makes outbound connections to the internet, which are usually not blocked by firewalls.
However, in some situations, for example in a corporate environment with strict security policies, a firewall might be set up to block all unknown outbound connections, and in this case, you will need to configure the firewall to allow TeamViewer to connect out through it.
TeamViewer ‘s Ports
These are the ports that TeamViewer needs to use.
TCP/UDP Port 5938
TeamViewer prefers to make outbound TCP and UDP connections over port 5938 – this is the primary port it uses, and TeamViewer performs best using this port. Your firewall should allow this at a minimum.
TCP Port 443
If TeamViewer can’t connect over port 5938, it will next try to connect over TCP port 443.
However, our mobile apps running on iOS and Windows Mobile don’t use port 443.
📌Note: port 443 is also used by our custom modules which are created in the Management Console. If you’re deploying a custom module, eg. through Group Policy, then you need to ensure that port 443 is open on the computers to which you’re deploying. Port 443 is also used for a few other things, including TeamViewer (Classic) update checks.
TCP Port 80
If TeamViewer can’t connect over port 5938 or 443, then it will try on TCP port 80. The connection speed over this port is slower and less reliable than ports 5938 or 443, due to the additional overhead it uses, and there is no automatic reconnection if the connection is temporarily lost. For this reason port 80 is only used as a last resort.
Our mobile apps running on Windows Mobile don’t use port 80. However, our iOS and Android apps can use port 80 if necessary.
Windows Mobile
Our mobile apps running on Windows Mobile can only connect out over port 5938. If the TeamViewer app on your mobile device won’t connect and tells you to “check your internet connection”, it’s probably because this port is being blocked by your mobile data provider or your WiFi router/firewall.
Destination IP addresses
The TeamViewer software makes connections to our master servers located around the world. These servers use a number of different IP address ranges, which are also frequently changing. As such, we are unable to provide a list of our server IPs. However, all of our IP addresses have PTR records that resolve to *.teamviewer.com. You can use this to restrict the destination IP addresses that you allow through your firewall or proxy server.
Having said that, from a security point-of-view this should not really be necessary – TeamViewer only ever initiates outgoing data connections through a firewall, so it is sufficient to simply block all incoming connections on your firewall and only allow outgoing connections over port 5938, regardless of the destination IP address.
In this article, we’re going to show you how to use ChatGPT to write a blog post. If you’re new to using AI content generators, don’t worry. We will be walking you through the entire process step-by-step.
ChatGPT is a game-changer for marketers and bloggers—in fact, pretty much anyone that does anything online, in fact, ChatGPT can even help you brainstorm. And although it might sound like AI will take everyone’s jobs, we should embrace AI technology and use it to create better content more quickly.
Before we jump into this topic, it’s worth noting here that it is highly likely that OpenAI will be adding a digital watermark to content generated by ChatGPT.
If you intend to publish this content online, you should either rewrite the output in your own words or use a more comprehensive AI writing tool like Jasper to write or rewrite the paragraphs for you, based on the outline and ideas generated by ChatGPT (and check out our thoughts on the future of white-collar work in the age of AI here)
Writing a blog post is somewhere ChatGPT can excel. But the thing is, it won’t simply produce the perfect blog post at the click of a button. ChatGPT needs detailed instructions to produce good content.
And of course, when it comes to creativity and original ideas, you will still need to add a human touch.
That being said, ChatGPT can be used for pretty much every part of the writing process when guided carefully by a human writer.
Often, blog articles are relatively short and focused pieces that center primarily around one topic. Because of this, Chat GPT will happily suffice for short blog posts on simple topics.
However, a higher standard can often be achieved by augmenting the process with Jasper’s AI writing capabilities.
Here’s how to use ChatGPT to write a blog post.
BRAINSTORM TOPICS AND TITLE IDEAS
Chat GPT has emerged as a useful brainstorming tool. It’s becoming increasingly popular with bloggers and copywriters to help them with writer’s block.
It offers a quick and convenient way of generating relevant topics and title suggestions. To get started, you must create a free account with OpenAI. There is a paid version available, too—ChatGPT Plus.
In this guide, we’re going to be using the free version, but you can use either.
Once you’re signed in, you can enter a prompt in the chat box at the bottom of the page. For example: “Generate 12 new topic ideas and titles for a dog training blog.”
If you’re happy with the generated text, you can move on to the next step. Alternatively, you can also ask ChatGPT to regenerate the response for more ideas.
USE CHATGPT TO HELP YOU WRITE A SOLID OUTLINE
Once you have established a topic, the next step is to use ChatGPT to write an outline for your blog post.
Doing this manually can be a time-consuming process. But the good news is, ChatGPT will make it a lot easier.
It will provide you with a detailed outline which you can then edit or add to yourself with your own ideas.
First, you will need to enter your command into ChatGPT.
Command example: Create a detailed outline for a blog post titled “Mastering Recall: Tips and Techniques for Training Your Dog to Come When Called”.
ChatGPT will then provide you with a detailed outline that you can tweak as needed.
Now that you’ve got an outline, you can either use ChatGPT, or another tool like Jasper to create content for each section of your blog post.
HOW TO USE CHATGPT TO HELP WRITE EACH SECTION OF YOUR BLOG POST
If you want to use ChatGPT to write a blog post, you’re going to need to break down what you want into different sections and categories. That way, you can ask ChatGPT to write each section for you as you go.
After that, you can piece them all together at the end to create a long-form blog post you can publish.
If you’re writing a shorter piece of content of up to 500 words, then technically, you could just ask it to write a whole blog post in one go.
However, in general, breaking this down into sections is the best way to go about this. This will ensure that the topic is covered thoroughly and in the appropriate order.
Doing this is also essential if you want to create long-form content.
ASK CHATGPT TO WRITE YOUR INTRODUCTION
A strong start to any blog post is a must. This is why you want to start by asking ChatGPT to write your introduction for you.
Ask ChatGPT to write an introduction to your blog post.
Example prompt:
Write an introduction for a blog post titled “Mastering Recall: Tips and Techniques for Training Your Dog to Come When Called”.
And here’s what ChatGPT generated based on that prompt:
As you can see, it has done a pretty good job in just a few seconds.
You can now tweak this introduction if required. This is a good time to add your own expertise and introduce yourself as an authority on the topic.
ENTER EACH SUBHEADING IN CHATGPT AS A QUESTION
The next step is to create content for each subheading detailed in your outline.
ChatGPT is designed to be an AI chatbot rather than exclusively an article writer. Because of this, it works well if you enter your prompts as questions.
If you make the headings within your article a question, then you can ask GPT to answer this question for you. Then you can use the answer it generates as a basis for each paragraph of your blog post.
So for the first subheading, “Explanation of the importance of recall training”, you would enter a prompt of “Explain the importance of recall training for dogs”.
ChatGPT will then respond to this prompt, providing another section of your blog post.
Note: If you intend to publish this content online, you should either rewrite the output in your own words. You could also use a more comprehensive tool like Jasper to write or rewrite the paragraphs for you, based on the outline created by ChatGPT.
Ending any blog post on a high is a great idea. Once you are certain your blog post has thoroughly covered the topic at hand, it’s time to close things off.
Simply ask ChatGPT to create a conclusion based on the topic you’re already writing about. You can even go one step further and ask it to include things like a call to action or next steps.
You might want to change things a little to ensure your brand and/or name is mentioned. However, asking ChatGPT to write you a conclusion paragraph gives you a solid starting point.
When you start by asking ChatGPT to write you a conclusion, it will tell you that it needs to know the topic of the blog and the main points you have mentioned in the post, so it can conclude your blog post accurately.
REVIEW AND EDIT YOUR BLOG POST
Just because ChatGPT (or indeed any AI writing software) has created a post for you, that doesn’t mean you should use it as it is. It’s important to thoroughly review and edit the content. Make sure that it reads well and keeps in line with your existing brand voice.
Most people won’t respond well to content they think has been auto-generated, so putting across your voice and ensuring that it sounds in line with the rest of your content is essential.
This is something that you should be double-checking in the review stage of your blog post.
FACT-CHECKING
ChatGPT’s knowledge generally ends in the latter part of 2021. This means that some of the facts it gives may be outdated and, therefore, inaccurate.
Before you publish a post, while you’re reviewing it, you should make sure that any facts mentioned are accurate and edit them if they’re not.
It’s all well and good having a well-written article, but if the information within it is inaccurate, it could destroy any trust you have built with your readers or audience.
Instead, spend some time checking all of the facts for yourself. This way, you can be sure that the content you are putting out there is going to be well received by its intended audience.
CHECK FOR PLAGIARISM WITH GRAMMARLY
While your text should be unique when generated with ChatGPT, that’s not always true. It’s always a good idea to double-check it. Grammarly is a popular free tool for checking spelling and grammar in written content, and it has a built-in plagiarism checker.
It’s worth spending a couple of minutes copying and pasting your AI-generated content into Grammarly’s Plagiarism Checker just to give it the once over before it goes live.
Overall, ChatGPT is a super useful tool for digital marketers and bloggers to have as part of their content creation toolkit.
You can use it for everything from blog writing to writing a meta description and even generating social media captions. It can also be used for keyword research and to help you generate new keyword ideas.
The main thing to bear in mind is that it’s likely that content generated with ChatGPT is watermarked or soon will be.
This means that Google and other search engines, along with AI content detection tools like Originality.ai, will usually be able to tell if your content is AI-generated.
However, that doesn’t mean you should dismiss ChatGPT altogether. But it does mean you need to be savvy and do what you can to get the most out of the tool.
Teaming up ChatGPT with other tools like Jasper can be a great way to get the most out of your content marketing efforts. This can also help you to get around the potential ‘Watermarking’ issues that you may come across in the future with Chat GPT.
ChatGPT isn’t really designed for long-form content writing, so you probably won’t use it to create entire blog posts in one go. However, there’s nothing to say that facility won’t come in the future. And there are already awesome courses like AI for blogging that are helping students profit from this new technology.
What it does is offer a quick and easy way to get blog post ideas, expand on ideas you already have, and even get an idea of what other people might be writing about within your niche.
You can then use the information you have gathered from ChatGPT in Jasper to create a unique, high-quality long-form blog post that you would be proud to publish on your platform.
Small and medium-sized businesses (SMBs) are increasingly becoming targets for cyber attacks. According to Verizon, about 61 percent of SMBs reported at least one cyber attack in 2021. Worse, Joe Galvin, chief research officer at Vistage, reported that about 60 percent of small businesses fold within six months of a cyber attack.
To protect your network from potential threats, you need a reliable and effective firewall solution. This tool will act as the first line of defense against unauthorized access and can help prevent malicious attacks from infiltrating a business’s network.
We reviewed the top SMB firewall solutions to help you determine the best one for your business.
Founded in 2018, Perimeter 81 is a cloud and network security company that provides organizations with a secure and unified platform for accessing and managing their applications and data.
It provides many security solutions, including firewall as a service (FWaaS), secure web gateway (SWG), zero trust network access (ZTNA), malware protection, software-defined perimeter, VPN-alternative and secure access service edge (SASE) capabilities, to ensure that data is secure and accessible to authorized personnel. It also provides centralized management and user access monitoring, enabling organizations to monitor and control user activity across the network.
Perimeter 81 provides granular access control policies that enable organizations to define and enforce access rules for their network resources based on the user’s identity, device type, and other contextual factors—making it easy for employees to access the company’s resources without compromising security.
Pricing
Pricing plans
Minimum users
Cost per month, plus gateway cost
Cost per year, plus gateway cost
Cloud firewall
Agentless application access
Device posture check
Essential
10
$10 per user, plus $50 per month per gateway
$8 per user, plus $40 per month per gateway
No
2 applications
No
Premium
10
$12 per user, plus $50 per month per gateway
$15 per user, plus $40 per month per gateway
10 policies
10 applications
3 profiles
Premium Plus
20
$16 per user, plus $50 per month per gateway
$20 per user, plus $40 per month per gateway
100 policies
100 applications
20 profiles
Enterprise
50
Custom quotes
Custom quotes
Unlimited
Unlimited
Unlimited
Features
Identity-based access for devices and users.
Network segmentation.
OS and application-level security and mutual TLS encryption.
Enable traffic encryption enforcement, 2FA, Single Sign-On, DNS filtering, and authentication.
Pros
Provides visibility into the company network.
Allows employee access from on-premise.
Automatic Wi-Fi security.
30-day money-back guarantee.
Cons
Low and mid-tiered plans lack phone support.
Limited support for Essential, Premium, and Premium Plus.
pfSense
Best open-source-driven firewall
pfSense is an open-source firewall/router network security solution based on FreeBSD. Featuring firewall, router, VPN, and DHCP servers, pfSense is a highly customizable tool that can be used in various network environments, from small home networks to large enterprise networks.
The tool supports multiple WAN connections, failover and load balancing, and traffic shaping, which can help optimize network performance. pfSense can be used on computers, network appliances, and embedded systems to provide a wide range of networking services.
Pricing
pfSense pricing varies based on your chosen medium—cloud, software, or hardware appliances.
For pfSense cloud:
pfSense on AWS: Pricing starts from $0.01 per hour to $0.40 per hour.
pfSense on Azure: Pricing starts from $0.08 per hour to $0.24 per hour.
The tool’s open-source version support is limited to community or forum. It lacks remote login support, private login support, a private support portal, email, telephone, and tickets.
Complex initial setup for inexperienced users.
Comodo Free Firewall
Best for Windows PCs
Comodo Firewall is a free firewall software designed to protect computers from unauthorized access and malicious software by monitoring all incoming and outgoing network traffic.
The firewall features packet filtering, intrusion detection and prevention, and application control. It also includes a “sandbox” feature that allows users to run potentially risky applications in a protected environment without risking damage to the underlying system.
The software works seamlessly with other Comodo products, such as Comodo Antivirus and Comodo Internet Security.
Pricing
Comodo is free to download and use. The vendor recommends adding its paid antivirus product (Comodo Internet Security Pro) to its firewall for added security. The antivirus costs $29.99 per year for one PC or $39.99 per year for three PCs.
Features
Auto sandbox technology.
Cloud-based behavior analysis.
Cloud-based allowlisting.
Supports all Windows OS versions since Windows XP (Note: Windows 11 support forthcoming).
Website filtering.
Virtual desktop.
Pros
Monitors in/out connections.
Learn user behavior to deliver personalized protection.
Real-time malware protection.
Cons
Lacks modern user interface.
Pop-up notifications—some users may find the frequent alerts generated by the software annoying and intrusive.
ManageEngine Firewall Analyzer
Best for log, policy, and firewall configuration management
It provides real-time visibility into network activity and helps organizations identify network threats, malicious traffic, and policy violations. It supports various firewalls, including Cisco ASA, Palo Alto, Juniper SRX, Check Point, SonicWall, and Fortinet.
Firewall Analyzer helps monitor network security, analyze the security posture of the network, and ensure compliance with security policies. It also provides reports, dashboards, and automated alerting to ensure the network remains secure.
Pricing
The amount you will pay for this tool depends on the edition you choose and the number of devices in your organization.
You can download the enterprise edition’s 30-day free trial to test-run it and learn more about its capabilities. It’s available in two versions: Windows OS or Linux. You can also download it for mobile devices, including iPhone devices and Android phones or tablets.
Standard Edition: Starts at $395 per device, up to 60 devices.
Professional Edition: Starts at $595 per device, up to 60 devices.
Enterprise Edition: Starts at $8,395 for 20 devices, up to 1,200 devices.
Regulatory compliance with standards such as ISO, PCI-DSS, NERC-CIP, SANS, and NIST.
Network behavioral anomaly alert.
Security reports for viruses, attacks, spam, denied hosts, and event summaries.
Historical configuration change tracking.
Bandwidth report for live bandwidth, traffic analyzer, URL monitor, and employee internet usage.
Compatible with over 70 firewall versions.
Pros
Excellent technical support.
Users praise its reporting capability.
In-depth auditing with aggregated database entries capability.
VPN and security events analysis.
Cons
Complex initial setup.
Users reported that the tool is occasionally slow.
Fortinet FortiGate
Best for hybrid workforces
Fortinet FortiGate is a network security platform that offers a broad range of security and networking services for enterprises of all sizes. It provides advanced threat protection, secure connectivity, and secure access control. It also provides advanced firewall protection, application control, and web filtering.
Business owners can use Fortinet’s super-handy small business product selector to determine the best tool for their use cases.
Small and mid-sized businesses may find the following FortiGate’s model suitable for their needs:
IPS
NGFW
Threat Protection
Interfaces
Series
FortiGate 80F
1.4 Gbps
1 Gbps
900 Mbps
Multiple GE RJ45 | Variants with PoE, DSL,3G4G, WiFi and/or storage
Multiple GE RJ45 | Variants with internalstorage | WiFi variants
FG-60F, FG-61F, FWF-60F, and FWF-61F
FortiGate 40F
1 Gbps
800 Mbps
600 Mbps
Multiple GE RJ45 | WiFi variants
FG-40F, FG-40F-3G4G, FWF-40F, FWF-40F-3G4G
Fortinet FortiGate is compatible with several operating systems and can easily be integrated into existing networks.
Pricing
Unfortunately, Fortinet doesn’t publish their prices. Reseller prices start around $335 for the FortiGate 40F with no support. Contact Fortinet’s sales team for quotes.
Features
Offers AI-powered security services, including web, content, and device security, plus advanced tools for SOC/NOC.
Continuous risk assessment.
Threat protection capability.
Pros
Top-rated firewall by NSS Labs.
Intrusion prevention.
Cons
According to user reviews, the CLI is somewhat complex.
Complex initial setup.
SonicWall TZ400 Security Firewall
Best for advanced threat protection
The SonicWall TZ400 is a mid-range, enterprise-grade security firewall designed to protect small to midsize businesses. It supports up to 150,000 maximum connections, 6,000 new connections per second, and 7×1-Gbe.
The TZ400 features 1.3 Gbps firewall inspection throughput, 1.2 Gbps application inspection throughput, 900 Mbps IPS throughput, 900 Mbps VPN throughput, and 600 Mbps threat prevention throughput.
Pricing
This product’s pricing is not available on the Sonicwall website. However, resellers such as CDW, Staples, and Office Depot typically sell it in the $1,000–$1,500 range. You can request a quote for your particular use case directly from Sonicwall.
Fast performance with gigabit and multi-gigabit Ethernet interfaces.
Protects against intrusion, malware, and ransomware.
High-performance IPS, VPN, and threat prevention throughput.
Efficient firewall inspection and application inspection throughput.
Cons
Support can be improved.
It can be difficult to configure for inexperienced users.
Cisco Meraki MX68
Best for small branches with up to 50 users
The Cisco Meraki MX68 is a security appliance designed for SMBs. It’s part of the Cisco Meraki MX series of cloud-managed security appliances that provide network security, content filtering, intrusion prevention, and application visibility and control.
The MX68 is equipped with advanced security features such as a stateful firewall, VPN, and intrusion prevention system (IPS) to protect your network from cyber attacks. The MX68 has a variety of ports and interfaces, including LAN and WAN ports and a USB port for 3G/4G failover. It also supports multiple WAN uplinks, providing redundancy and failover options to ensure your network remains online and available.
Pricing
The Cisco Meraki MX68 pricing isn’t listed on the company’s website, but resellers typically list it starting around $640. You can request a demo, free trial, or quotes by contacting the Cisco sales team.
Features
Centralized management via web-based dashboard or API.
Intrusion detection and prevention (IDS/IPS).
Next-generation layer 7 firewalls and content filtering.
SSL decryption/inspection, data loss prevention (DLP), and cloud access security broker (CASB).
Instant wired failover with added 3G/4G failover via a USB modem.
Pros
Remote browser isolation, granular app control, and SaaS tenant restrictions.
Support for native IPsec or Cisco AnyConnect remote client VPN.
Provides unified management for security, SD-WAN, Wi-Fi, switching, mobile device management (MDM), and internet of things (IoT)
Cons
The license cost is somewhat high.
Support can be improved.
Sophos XGS Series
Best for remote workers
Sophos XGS Series Desktop is a range of network security appliances designed to provide comprehensive protection for SMBs. These appliances combine several security technologies, including firewall, intrusion prevention, VPN, web filtering, email filtering, and application control, to provide a robust and integrated security solution.
Here’s a comparison table of the Sophos XGS series firewalls:
Firewall
TLS inspection
IPS
IPSEC VPN
NGFW
Firewall IMIX
Threat protection
Latency (64 byte UDP)
XGS Desktop Models
3,850 Mbps
375 Mbps
1,200 Mbps
3,000 Mbps
700 Mbps
3,000 Mbps
280 Mbps
6 µs
XGS 107 / 107w
7,000 Mbps
420 Mbps
1,500 Mbps
4,000 Mbps
1,050 Mbps
3,750 Mbps
370 Mbps
6 µs
XGS 116 / 116w
7,700 Mbps
650 Mbps
2,500 Mbps
4,800 Mbps
2,000 Mbps
4,500 Mbps
720 Mbps
8 µs
126/126w
10,500 Mbps
800 Mbps
3,250 Mbps
5,500 Mbps
2,500 Mbps
5,250 Mbps
900 Mbps
8 µs
136/136w
11,500 Mbps
950 Mbps
4,000 Mbps
6,350 Mbps
3,000 Mbps
6,500 Mbps
1,000 Mbps
8 µs
The Sophos XGS Series Desktop appliances are available in several models with varying performance capabilities, ranging from entry-level models suitable for small offices to high-performance models suitable for large enterprises. They are designed to be easy to deploy and manage, with a user-friendly web interface and centralized management capabilities.
Pricing
Sophos doesn’t advertise the pricing for their XGS Series Desktop appliances online, but they typically retail starting at about $520 from resellers.
Potential customers are encouraged to request a free trial and pricing information by filling out a form on the “Get Pricing” page of their website.
Features
Centralized management and reporting.
Wireless, SD-WAN, application aware routing, and traffic shaping capability.
SD-WAN orchestration.
Advanced web and zero-day threat protection.
Pros
Zero-touch deployment.
Lateral movement protection.
Users find the tool scalable.
Cons
Performance limitations.
Support can be improved.
Protectli Vault – 4 Port
Best for building your own OPNsense or pfSense router and firewall
The Protectli Vault is a small form-factor network appliance designed to act as a firewall, router, or other network gateway. The 4-Port version has four gigabit Intel Ethernet NIC ports, making it ideal for SMB or home networks.
The device is powered by a low-power Intel processor and can run a variety of open-source firewall and router operating systems, such as pfSense, OPNsense, or Untangle. It comes with 8GB DDR3 RAM and up to 32GB DDR4 RAM.
The Protectli Vault is designed to be fanless, silent, and compact, making it ideal for use in the home or office environments where noise and space may be an issue. It’s also designed to be energy-efficient, consuming only a few watts of power, which can save businesses considerable amounts of money on energy costs over time.
Pricing
The amount you will pay for this tool depends on the model you select and your desired configuration. The rates below are starting prices; your actual rate may vary based on your configuration. Note that all these items ship free to U.S. addresses.
VP2410 – 4x 1G Port Intel J4125: Starts at $329.
VP2420 – 4x 2.5G Port Intel J6412: Starts at $379.
FW4B – 4x 1G Port Intel J3160: Starts at $269.
FW4C – 4x 2.5G Port Intel J3710: Starts at $289.
Features
Solid-state and fanless tool.
Provides 2.5 GB ports unit.
AES-NI, VPN, and coreboot options.
Pros
A 30-day money-back guarantee.
Transparent pricing.
Coreboot support.
CPU supports AES-NI.
Cons
Steep learning curve.
OPNSense
Best for flexibility
OPNsense is a free and open-source firewall and routing platform based on the FreeBSD OS. It was forked from the popular pfSense and m0n0wall project in 2014 and was officially released in January 2015.
OPNsense provides a modular design that allows users to easily add or remove functionality based on their needs.
OPNsense is popular among IT professionals and network administrators who need a flexible and customizable firewall and routing platform that they can tailor to their specific needs. It’s also a good choice for small businesses and home users who want to improve their networks’ security without spending a lot of money on commercial solutions.
VPN (site-to-site and road warrior, IPsec, OpenVPN, and legacy PPTP support).
Built-in reporting and monitoring tools, including RRD Graphs.
Pros
Free, open source.
Traffic shaper.
Support for plugins.
Multi-language support, including English, Czech, Chinese, French, German, Italian, Japanese, Portuguese, Russian, and Spanish.
Cons
Reporting capability can be improved.
The interface can be improved.
Key features of SMB firewalls
Firewalls designed for SMBs share many of the same characteristics as their enterprise-grade cousins—such as firewall rule and policy configuration, content filtering, reporting and analytics—while placing additional emphasis on affordability and ease of use.
Firewall rules and policies
Administrators should be able to set up firewall rules and policies that control traffic flow and block or permit traffic based on various criteria, such as source/destination IP addresses, ports, and protocols.
These rules and policies can be used to control the types of applications, services, and data that are allowed to traverse the network, as well as create restrictions on access.
Firewall rules and policies are essential to the security of a network, as they provide the first line of defense against malicious attacks.
Content filtering
Content filtering is the process of blocking or restricting certain types of content from entering or leaving a network. It can be used to block websites, applications, or data that may contain malicious or unwanted content, such as malware, viruses, or pornographic material.
Content filtering is typically implemented using a combination of hardware and software solutions. Hardware solutions, such as routers and switches, can be configured to block certain types of traffic or data or to restrict access to certain websites or applications. Software solutions, such as firewall rules and policies, can also be used to block or restrict certain types of content.
Reporting and analytics
Reporting and analytics are essential for any business network, as they provide important insights into the health and security of the network. Firewall reporting and analytics features allow network administrators to identify trends, detect potential threats, and analyze the performance of the network over time.
Reporting and analytics can also be used to identify any areas of the network that may be vulnerable to attack, as well as identify any areas where the network may not be performing optimally.
Affordability
For SMBs, affordability is a key factor when it comes to purchasing a firewall. SMB firewalls are typically more affordable than enterprise firewalls and can be purchased for as little as a few hundred dollars, so it is important to consider your budget when selecting a firewall.
Some SMB firewalls offer additional features for a fee, so consider what features are necessary for your network and the ones you can do without, as this will help you decide on the most cost-effective firewall solution. At the same time, be careful not to cut corners—your business’s data is too important to be insufficiently protected.
Ease of use and support
For SMBs, finding a firewall solution that is easy to use and has good support is essential. Firewalls should be easy to configure and manage so the network administrator can quickly and easily make changes as needed.
Additionally, good support should be available for any issues or questions that arise. This support should include an online knowledge base and access to technical support staff that can assist with any questions or problems, ideally 24/7.
How to choose the best SMB firewall software for your business
When shopping for the best SMB firewall software for your business, look for software that offers the features you need, easy installation and management, scalability to grow with your business, minimal impact on network performance, and an affordable price.
It’s also important to choose a vendor with a good reputation in the industry, backed up by positive reviews and customer feedback.
Frequently asked questions (FAQs)
What is an SMB firewall?
An SMB firewall is a type of network security device that is designed specifically for small and medium-sized businesses. It’s used to protect networks from unauthorized access, malicious attacks, and other security threats.
What features should I look for in an SMB firewall?
Above all you need a solution with a strong security profile. Look for specific security measures such as:
Intrusion prevention
Content filtering
Malware protection
Application control
Traffic shaper
Other factors to consider include ease of management, scalability, and cost.
Do small businesses need a firewall?
Yes, small businesses need a firewall. It provides an essential layer of network security that helps protect against unauthorized access, malware, and other security threats. Without a firewall, small businesses are vulnerable to attacks that could compromise sensitive data, cause network downtime, and damage their reputation.
How much does a firewall cost for SMBs?
The cost of an SMB firewall can vary widely depending on the features, capabilities, and brand of the firewall. Generally, SMB firewalls can range in price from a few hundred to several thousand dollars.
How many firewalls do you need for a small business?
The number of firewalls needed for a small business will depend on the size and complexity of the network. In many cases, a single firewall may be sufficient to protect the entire network. However, in larger networks, it may be necessary to deploy multiple firewalls to provide adequate protection.
Factors such as network segmentation, geographic location, and compliance requirements may also influence the number of firewalls needed. It’s best to consult with a network security expert to determine the appropriate number of firewalls for your small business.
Methodology
We analyzed dozens of SMB firewall software and narrowed down our list to the top ten. We gathered primary data—including pricing details, features, support, and more—from each tool provider’s website, as well as third-party reviews. We selected each software based on five key data points: security, ease of use, affordability, quality of service, and user satisfaction.
Bottom line: Choosing an SMB firewall
The solutions we evaluated are some of the best SMB firewalls currently available on the market. They are designed to provide SMBs with advanced security features, easy management, and scalability at affordable rates.
