This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV blocks server-sent events (SSE) on Mac OS X Yosemite

This took me a long time to figure out, so I'm posting here in the hopes that Google searches save the next vicitim, or that Sophos can do a fix.

I was testing a website with Server-Sent Events, i.e. EventSource events sent from a CGI script to my browser. Everything worked fine when both the server and browser was on my computer.  But when I tried to connect to the production browser, I was unable to recieve events; all browsers simply hung.  

After some testing, I realized it was Sophos.  Specifically, turning off "General / Web Protection / Block Malicious Downloads.." fixed the problem.

Sophos needs to be fixed so that it does not do blocking read/write of HTTP data with stream headers with

   Content-Type: text/event-stream

I'm not sure how it's blocking; it might be due to internal buffering sizes being too big or some other problem.

Here's a test site:

http://neutrino.otterbein.edu/~tagg/streamtest/test.cgi

This SHOULD print the time four times immediately, then print the time every 5 seconds thereafter. 

And here's the code sending it:

#!/usr/bin/perl -w
use IO::Handle qw( );  # For flush
use Time::HiRes qw(usleep nanosleep gettimeofday);

print "Content-Type: text/event-stream\r\n";
print "Cache-Control: no-cache\r\n";
print "\r\n";

print "data: " . localtime() . "\n\n";STDOUT->flush();

print "data: " . localtime() . "\n\n";STDOUT->flush();

print "data: " . localtime() . "\n\n";STDOUT->flush();

print "data: " . localtime() . "\n\n";STDOUT->flush();


while(1) {

  sleep(5);
print "data: " . localtime . "\n\n";
STDOUT->flush();

Since I have users who I know use Sophos, I would be really happy if this could be fixed ASAP. Thanks!

:1021268


This thread was automatically locked due to age.
  • Yes, you're right.  SSE events are blocked by the "Block malicious downloads" feature of Sophos Anti-Virus.

    Our scanner needs the entire response, so we must wait until the HTTP response is complete before allowing the browser to see it.  SSE works incrementally, and the response may never complete.

    We have explicit support for bypassing scanning of streaming audio and some video sites.  While we could allow immediate access to 'text/event-stream' content as you suggest, this needs careful consideration and work to ensure that it doesn't compromise the security of our customers.  I will raise a ticket to propose adding support for SSE to a future release.

    I'll point out that Long Polling and WebSockets are alternatives to SSE, and both should work just fine with our web protection feature.

    :1021280
  • Is there any progress on that topic? We developed a web application using Server Sent Events and as we tried it out on windows machines in our institute, we saw that SSE messages are hold back by Sophos and only delivered when the connection is closed. Because SSEs are a modern HTML5 feature and perfectly suits our requirements for our application, we don't want to go back to long polling or websockets. I really like to know if we can expect any changes in the near future. Thank you.

  • We are planning to implement SSE for one of our web application. Will Sophos blocks text/event-stream over HTTPS as well? Do we have a work around? Can we bypass a particular domain from getting blocked by "Block malicious downloads" feature of Sophos Anti-Virus?

    We do not want to go Long Polling and WebSockets route. 

  • Over HTTPS should be fine.