The issue is not only users will browse the internet and possibly download Malware but another great concern is that anyone can set up their own TOR proxy and as the traffic gets decrypted at that proxy, the admin for that proxy could potentially perform a man-in-the-middle attack and intercept that data or take over the section as the user. Now the end user not only is putting in jeopardy the security of the company but also themselves if they are logging into their bank accounts, personal emails, etc..
My main concern is that there is no way you can obtain an accurate active list of TOR proxy servers since anyone at anytime can set one up and the only resolution I can think of is by somehow filtering out 443 data and then perform a Whois on the external destination IP’s and determine if they do not have a business need to visit it then we can block anyone going to that external IP, investigate the system for the possibility of TOR application running on the system and remove it.
Going this direction would create a tremendous amount of work that will result in potentially missing legitimate network intrusions, call backs to malicious known sites, etc... I hope that those of you that currently have something in place for this will share your solution and for those that don’t have this problem but have ideas would share them.
Thank you in advance.