Trouble with SophosWebIntelligence.bundle

Hi jayboyd,

Its difficult for me to comment on the internal behavior or implementation choices of the Little Snitch product, but I can definitely share with you exactly how our product works. Here goes:

We install a kernel extension (kext) to trap outgoing TCP connections from specific processes (we look for browsers and things like curl). Our kext is going to intercept the outgoing connect() call. In programmer-speak, connect() is the API responsible for initiating a connection from your computer to somewhere else on the network. For a connect() that is destined to leave your computer, we rewrite the destination such that instead of connecting remotely we tell it to connect locally, specifically to the SophosWebIntelligence daemon.

When the SWID receives the connection, it determines the real destination, extracts the URL from the data sent by the browser, and does two things: (1) starts its own connect() to that remote server, and (2) does a lookup to our services to identify reputation of its IP address and the URL used in the browser. Its actually SophosSXLD that does this lookup on behalf of SWID.

Then SWID will receive data from the remote server, scan its content to ensure we don't believe you are downloading malicious content, and if everything is ok (checks for the IP address and URL were favorable, and the content is clean) then we send the content on to the browser. Its actually SophosScanD which is doing the scanning.

If any of the checks fail we terminate the connection to the remote server and instead send the browser our own HTML to explain the blocked condition.

Hope that helps explain our side of it. Maybe you can get the Little Snitch guys to give you a similar explanation.

Hi jayboyd,

Its difficult for me to comment on the internal behavior or implementation choices of the Little Snitch product, but I can definitely share with you exactly how our product works. Here goes:

We install a kernel extension (kext) to trap outgoing TCP connections from specific processes (we look for browsers and things like curl). Our kext is going to intercept the outgoing connect() call. In programmer-speak, connect() is the API responsible for initiating a connection from your computer to somewhere else on the network. For a connect() that is destined to leave your computer, we rewrite the destination such that instead of connecting remotely we tell it to connect locally, specifically to the SophosWebIntelligence daemon.

When the SWID receives the connection, it determines the real destination, extracts the URL from the data sent by the browser, and does two things: (1) starts its own connect() to that remote server, and (2) does a lookup to our services to identify reputation of its IP address and the URL used in the browser. Its actually SophosSXLD that does this lookup on behalf of SWID.

Then SWID will receive data from the remote server, scan its content to ensure we don't believe you are downloading malicious content, and if everything is ok (checks for the IP address and URL were favorable, and the content is clean) then we send the content on to the browser. Its actually SophosScanD which is doing the scanning.

If any of the checks fail we terminate the connection to the remote server and instead send the browser our own HTML to explain the blocked condition.

Hope that helps explain our side of it. Maybe you can get the Little Snitch guys to give you a similar explanation.