Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 6 subscribers
  • Views 57783 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trouble with SophosWebIntelligence.bundle

nevets

I am using a Mac OS10.6.8

Yesterday Sophos Anti-Virus updated to 9.0.1 - but seems to have also installed at the same time SophosWebIntelligence.bundle

Now whenever I use the internet (Safari) numerous request popups show to allow or disallow connections.

I have Little Snitch installed and those connection requests seem not to show anymore: they were far fewer than what now shows  as SophosWebIntelligence.bundle

The issues are:

Some some reason I no logger access to Google search. Of course I didn’’’’t deny a goggle connection and google was already set under little snitch as always connect.

The internet has become I would guess 10 times slower; it’’’’s almost a snails pace.

I can’’’’t fine the preference details for the SophosWebIntelligence.bundle - I assume it is like Little Snitch were any access denied can be undone or permanent access set.

THere is now an excess of deny or accept popups for every page I visit - the obvious ones of course I allow but some are vague. There can be around 10 per page.

Any ideas how to solve these points would be welcome.

:1017909


This thread was automatically locked due to age.
Parents
  • 0

    So I'm trying to understand how each product works. It seems that the combo of both is *necessary* to see *all* connections to host servers.

    When I had WIB turned on, with LS3, I would see tons of server connections attempted, which I could approve/deny/edit in LS3. *If* I was using Chrome (but, curiously, not Safari), these would show up as LS3 rules for SophosWebIntelligence.bundle. (Safari connections simply show up as Safari). 

    However, if I add a catch-all rule to LS3 allowing all outgoing connections to WIB, then I never get asked again about individual connections (by either product). Am I missing something or does WIB basically not let the user choose when to accept connections? If it is doing any filtering at all, what are its criteria? I don't see this explained anywhere. I'm not just interested in known bad URLs or detecting bad heuristic patterns in data, but custom (think TAO) data being passed to unknown servers, which is the benefit of LS3. 

    Lastly, if I turn of WIB, LS3 seems only interested in base URL requests, which is virtually useless imho. (I can ask them on their forums about this, but still sanity checking here). Of course I know that if I navigate to google.com, by browser is going to request a connection with google.com. I'm much more interested in the half dozen other servers any given page may connect to. 

    So it does seem like the most secure (and by far most annoying) approach is to turn on WIB, not allow a single rule to allow all traffic, and then use LS3 to selectively allow/deny every single connection made. 

    My use case is trying to determine as much as possible that no unaccounted for traffic is leaving my machine. Of course, this means investigating a LOT of unknown hostnames. Many look like legit CDNs or CA servers, etc. Some I can't identify and block, most of the time without impacting browsing (though in some cases, blocked ad networks will prevent loading video content and the like). 

    Any corrections to my assumptions, or pointers to a better approach are appreciated :)

    :1018507
Reply
  • 0

    So I'm trying to understand how each product works. It seems that the combo of both is *necessary* to see *all* connections to host servers.

    When I had WIB turned on, with LS3, I would see tons of server connections attempted, which I could approve/deny/edit in LS3. *If* I was using Chrome (but, curiously, not Safari), these would show up as LS3 rules for SophosWebIntelligence.bundle. (Safari connections simply show up as Safari). 

    However, if I add a catch-all rule to LS3 allowing all outgoing connections to WIB, then I never get asked again about individual connections (by either product). Am I missing something or does WIB basically not let the user choose when to accept connections? If it is doing any filtering at all, what are its criteria? I don't see this explained anywhere. I'm not just interested in known bad URLs or detecting bad heuristic patterns in data, but custom (think TAO) data being passed to unknown servers, which is the benefit of LS3. 

    Lastly, if I turn of WIB, LS3 seems only interested in base URL requests, which is virtually useless imho. (I can ask them on their forums about this, but still sanity checking here). Of course I know that if I navigate to google.com, by browser is going to request a connection with google.com. I'm much more interested in the half dozen other servers any given page may connect to. 

    So it does seem like the most secure (and by far most annoying) approach is to turn on WIB, not allow a single rule to allow all traffic, and then use LS3 to selectively allow/deny every single connection made. 

    My use case is trying to determine as much as possible that no unaccounted for traffic is leaving my machine. Of course, this means investigating a LOT of unknown hostnames. Many look like legit CDNs or CA servers, etc. Some I can't identify and block, most of the time without impacting browsing (though in some cases, blocked ad networks will prevent loading video content and the like). 

    Any corrections to my assumptions, or pointers to a better approach are appreciated :)

    :1018507
Children
No Data
Unfiltered HTML