Hi all,

HTTPS inspection is being enabled by default for devices in the EAP now that the roll out has finished, (both Endpoint and Server).

When users visit websites via browsers the Sophos endpoint will decrypt HTTPS network traffic for the purposes of applying your Threat Protection policy. This decryption allows for deeper and more complete protection, and is recommended for best protection. This inspection technique may, under some circumstances, interfere with successful browsing activity, including for internal websites.

Controls for enabling or disabling HTTPS inspection can be found in Sophos Central under the Global Settings page, in the Endpoint Protection section.

Look for the option “SSL/TLS decryption of HTTPS websites”. This new page offers important controls for managing the HTTPS inspection policy: 

  • enable or disable HTTPS inspection
  • optionally exclude HTTPS inspection for websites in specific categories
  • optionally exclude HTTPS inspection for specific websites based on their domain or IP address

There are a few important reasons you may wish to modify those settings:

  • websites which rely upon client certificates as part of authentication will not work by default, and will require an exclusion by hostname or IP address
  • websites using outdated and insecure encryption algorithms will not be accessible by default, and will require an exclusion by hostname or IP address
  • websites using certificates generated by a root Certificate Authority not recognized by Windows may require an exclusion by hostname or IP address

Several additional situations merit mention:

  • websites using self-signed certificates will require users to approve access in their browsers, or re-approve access if done previously
  • Firefox users may encounter problems unless the option “security.enterprise_roots.enabled” is set in their browser

There will be further updates to enhance the feature over the next few months before we start releasing it to devices outside of the Early Access Program. 

Please review the devices you have enrolled in the Early Access Programs and, based on the information above, consider if you need to remove any or make any exclusions via the Settings page.

As always, we welcome your feedback about this enhancements and ask that you provide details of your experience so that we can continue to improve the features and your experience of the product.

Regards,

Stephen

Anonymous
  • Hi Michael,

    I can offer a bit more background to this issue. The cause of the issue is the presence of a Network Extension that uses NETransparentProxy on macOS which affects node.js. NETransparentProxy API is the technology that we have to use for Web Protection features on macOS 11 and above. node.js is an open-source framework that LightSpeed’s agent is built on.

    We have been working with Lightspeed and Apple on this issue as we (Sophos and Lightspeed) are sure that this is an Apple issue to fix, we have been assisting both companies with the investigation as we cannot fix this within the Sophos endpoint product. 

    I am sure if you reach out to Lightspeed they will be able to provide more information.

    Regards,

    Darren. 

  • Hi Michael,

    Thank you for your support case number and the detail on the 3rd party product. Your use case of Sophos for file protection and another vendor for network is useful; i'll feed this context back to the team.

    Regards,

    Stephen

  • Hi Stephen, thanks for the response. I already have a ticket open, case no: 04612065 and have been in discussion about this for a day or two. So far the explanations and detail given by Sophos has been very useful and informative but as yet no suggestion of a potential solution, only that this is down to a limitation of the Mac operating system and that the network extension is an integral part of the product and should not be removed.

    The product it is in conflict with is the Ligthspeed Systems 'Smart Agent' which is in essence a cloud web filter agent. This performs SSL inspection on network traffic and is for me the more important of the 2 for performing this role. I do however still wish to have a managed AV product on the device and Sophos is the one i'm licensed for... hence my conundrum Blush 

  • Hi Michael,

    I strongly recommend opening a support case so that our development team can investigate this for you.

    Turning off the Web Protection and Web Control functionality doesn't remove the Sophos Network Extension. This has to be removed manually and then subsequently denied when it prompts for approval.

    If the Network Extension is removed, during the next endpoint update it will attempt to put it back and prompt the user for approval, this is by design.

    Please open a support case and provide an SDU and a TCPDump while reproducing the issue and our development team can investigate.

    Also what is the third party product that you are using please?

    Regards,

    Stephen

  • I'm having major issue with this in Mac OS (EAP as well as non-EAP,) as we have a cloud web filtering agent installed and the two combined just kills internet connectivity.  I have all 'web' filtering options disabled in Sophos Cloud, however merely the presence of the Sophos Network Extension causes all manners of pain on a Mac computer running 12.0.x (I only have one 11.x Mac and that one seems 'ok' so far.)

    How in the hell can i suppress this extension or disable it entirely. I tried renaming the thing earlier which fixed everything for a short space of time... right up until the point it reinstalled and relaunched itself during a user session, which then killed the internet once more.

    I do not want this feature from the AV. I purely want it on a Mac for file scanning only, but this is the only AV i have for Mac OS which allows centralised management, i dont want to have to buy something else...