Trouble with SophosWebIntelligence.bundle

---

nevets wrote:

I am using a Mac OS10.6.8

Yesterday Sophos Anti-Virus updated to 9.0.1 - but seems to have also installed at the same time SophosWebIntelligence.bundle...

 ...Any ideas how to solve these points would be welcome.

---

Try opening Sophos Preferences (use the pull-down menu on the menu bar), click on Web Protection, and turn off both services in the Web Protection panel.

Thank you Regular Advisor. I switched off the two options in the Web Protection panel, went to google - which accessed fine, then switched the options back on again and it seems fine.

I have Little Snitch installed and that used to have pop-ups when visiting web pages, asking to deny or accept. These pop-ups have now switched to SophosWebIntelligence.bundle ones. There are much more of these than with Little Snitch that now seems inactive. I no longer know which to accept or deny due to some really obscure titles. Were I have 1 or 2 pop-ups with Little snitch there can be up to 10 to 20 with SophosWebIntelligence.bundle for a single webpage. I liked the easy to decide Littel Snitch pop-ups as the have the site name so easy to distinguish. Any ideas how to get back to the original pop-ups?

I don't use Little Snitch so I can't speak to how it and Sophos might interact. But Sophos Web Protection has a lot going on while you surf. This thread goes into the Sophos screening process and what the outbound traffic involves. One key idea is that while you may be visiting a single web page, that page is often made up of a variety of components which require reaching out to a lot of other locations to populate the web page and for other purposes. Sophos is checking them, too.

That makes a lot of sense ZRL1, I appreciate the reply; I think that pop-ups are showing for every external element of every webpage visited; were previously they only showed for teh webpage itself.

I was trying to find the rules within SophosWebIntelligence.bundle, but SophosWebIntelligence.bundle seems to have hijacked Little Snitch and puts SophosWebIntelligence.bundle as the title of the pop up instead of the previous title of Little Snitch.

Now looking at the rules in Little Snitch the number of accept and deny requests are in the 100's under SophosWebIntelligence. Not sure how all that came about. Previously any element would only have one or two.

I found some thread here about recommending setting new rules in Little Snitch to allow all connections on port 443 and port 80, but there was no conclusion as to whether that was safe or not.

It certainly is confusing.

---

nevets wrote:

...It certainly is confusing.

---

You heard it here first: nothing is ever simple.

Well Little Snitch was simple, now it seems to have been hijacked by SophosWebIntelligence.bundle; the number of deny and accept rules building up under the heading SophosWebIntelligence.bundle is rediculous.

Apple forums advice get rid of Sophos. This seems to be the advice to almost every enquiry on the subject, not what to do to resolve matters.

Well one has to go unless there is a solution, either Little Snitch or SophosWebIntelligence.bundle. What I can't understand is why make a program that interfers so dramatically with others. UNtil the recent upgrade Sophos was far better than any antivirus program I have bought.

First, remember that I'm just a user like you, so all I can offer is an opinion.

If I correctly understand your problem, the pop-ups are being generated by Little Snitch in response to the additional traffic being generated by Sophos Web protection and there are more pop-ups with Web protection active because Sophos is checking out all of the links hidden and embedded in the web page (which can be quite a few; e.g., I just clicked on AccuWeather and the Firefox extension Request Policy blocked it from reaching out to brightcove, quantserv, scorecardresearch, doubleclick and four more). While I suspect all of them are "legitimate," if unnecessarily nosey, at least they aren't dangerous.

But I keep getting emails passed through Verizon's spam filters (without being stopped) offering free ADT Home protection, High Quality Printer ink, 10 days to a new language, etc., which, when I check out the source IP address in the header I find they're from Ghana. Yesterday it was the Russian Federation. That's a long drive for a home alarm installation.

The point being what appears in your web browser (or a link in your email) may not be what it appears to be and even if it initially is, one or more of the elements in it may be the result of hacking so that you get routed to a malicious web connection without your knowledge. It's my understanding that Web Protection inspects them all. Note that in the interest of Surfing Security© I use Firefox with a bunch of extensions that initially interfere with javascript, external connection requests, cookies, tracking and otherwise, ad blocking, and "supercookies". It takes some time to find the combination of permissions that let a webpage work and sometimes I have to switch to a different browser altogether if the connection must be made.

So trying to stay secure and reasonably private on the web is a tradeoff between convenience and security and how much hassle anyone is willing to accept is a very individual choice. Little Snitch warns you something is happening while Sophos would warn you if that something is risky but it has to check all the "somethings" first.

I'd go with active rather than passive security. But that's just me.

---

nevets wrote:

Well Little Snitch was simple, now it seems to have been hijacked by SophosWebIntelligence.bundle; the number of deny and accept rules building up under the heading SophosWebIntelligence.bundle is rediculous.

Apple forums advice get rid of Sophos. This seems to be the advice to almost every enquiry on the subject, not what to do to resolve matters.

Well one has to go unless there is a solution, either Little Snitch or SophosWebIntelligence.bundle. What I can't understand is why make a program that interfers so dramatically with others. UNtil the recent upgrade Sophos was far better than any antivirus program I have bought.

---

Hi nevets,

Both programs are operating as intended, even if it seems annoying. The Web Protection feature acts as a local proxy, it filters the web traffic between your web browser and the rest of the internet. Little Snitch likes to tell you about every program that accesses the network, including ours. Its a nice program (assuming you understand what its trying to tell you) but also can be very noisy.

I can't tell you which is better because "better" is a very subjective measurement. Our software is actively filtering internet traffic and only tells you when its found something really bad. We are trying to make your life easier by remaining silent until its time to block something. The goal of Little Snitch is quite different - when run in a non-silent mode, is will show you everything in incredible detail.

Hope that helps explain what you are seeing.

Since all regular traffic will be passing through the WIB, instead of through the browser rules in Little Snitch, you need to create separate "Always allow" rules in Little Snitch for the WIB, both for port 80 and port 443. Set like this, I have no problems using the WIB. You will stop getting a multitude of separate prompts.

So I'm trying to understand how each product works. It seems that the combo of both is *necessary* to see *all* connections to host servers.

When I had WIB turned on, with LS3, I would see tons of server connections attempted, which I could approve/deny/edit in LS3. *If* I was using Chrome (but, curiously, not Safari), these would show up as LS3 rules for SophosWebIntelligence.bundle. (Safari connections simply show up as Safari). 

However, if I add a catch-all rule to LS3 allowing all outgoing connections to WIB, then I never get asked again about individual connections (by either product). Am I missing something or does WIB basically not let the user choose when to accept connections? If it is doing any filtering at all, what are its criteria? I don't see this explained anywhere. I'm not just interested in known bad URLs or detecting bad heuristic patterns in data, but custom (think TAO) data being passed to unknown servers, which is the benefit of LS3. 

Lastly, if I turn of WIB, LS3 seems only interested in base URL requests, which is virtually useless imho. (I can ask them on their forums about this, but still sanity checking here). Of course I know that if I navigate to google.com, by browser is going to request a connection with google.com. I'm much more interested in the half dozen other servers any given page may connect to. 

So it does seem like the most secure (and by far most annoying) approach is to turn on WIB, not allow a single rule to allow all traffic, and then use LS3 to selectively allow/deny every single connection made. 

My use case is trying to determine as much as possible that no unaccounted for traffic is leaving my machine. Of course, this means investigating a LOT of unknown hostnames. Many look like legit CDNs or CA servers, etc. Some I can't identify and block, most of the time without impacting browsing (though in some cases, blocked ad networks will prevent loading video content and the like). 

Any corrections to my assumptions, or pointers to a better approach are appreciated :)