Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Replies 49 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 22804 views
  • Users 0 members are here
Options
Suggested

Mozilla Firefox Trouble with Google Gmail web based access

Sophos User6096

I have a three users who have trouble with Google Gmail based website while using Firefox. I use InterceptX. I am having issues pinning this down.

** Sophos Core Agent 2.20.13, Endpoint Advanced 10.8.11.4, Intercept X 2.0.24 (standard release channel)
** Mozilla Firefox 99.0.1 64 bit (standard release channel)
** Windows OS 10 Pro 64 bit patched to current (standard release channel)

Issue:
01. Google Workspace Gmail stops updating / timeout message (#001) appears.
02. user must close Firefox completely then start again. (if user does not start Gmail quickly enough Gmail will not start. Close Firefox completely and restart is the option.)

Testing:
01. I started with a brand new windows user. I logged onto the existing Google Workspace Gmail. I did screenshots periodically to document the timeline.
02. Gmail timeout issue appeared after about 60 minutes. (prior Sophos Community noted "Trouble with google based websites using Firefox" issue so I worked that aspect. Once my Google Workspace Gmail started timing out, I worked other Google property websites.) I opened a new tap and tried Gmail (did not load). I opened a new tap and did YouTube (it worked normally). I opened another new tab and tired Google search (it worked normally).
03. SpeedTest.net opened and ran without issue and Pocket.com worked without issue.
04. Sophos Endpoint Agent - I signed in as Admin.
05. From Sophos Endpoint Agent Admin screen ... I disabled different aspects / pieces and after each I would force Gmail to retry. I did this working through "off" but one cannot turn aspect / piece "on" after "off". Hence, I could not work through items individually. I got to half the aspects turned off and still "No Joy". (I screwed up and no screenshot of half items.)
06. After half aspects / pieces "off" and not able to re-enable, I just cancelled / off to all aspects / pieces except Deep Learning.
07. retry for Gmail and the traffic resumed working / flowing.
08. Sophos Endpoint Agent aspect(s) is/are the issue because when all but Deep Learning aspect / piece toggled "Off" and gmail resumed updates / working. However, I am unsure which aspect / piece is the issue.
09. Sophos Endpoint Agent - I signed out as Admin to re-set / re-enable all the aspects / pieces.
10. Gmail running in the originally open Mozilla Firefox tab continued working normally with aspects / pieces enabled EXCEPT Application Control and Data Loss Prevention (did not re-enable when I signed out as Admin).
11. Gmail timeout issue appeared after about 60 minutes. (prior Sophos Community noted "Trouble with google based websites using Firefox" issue so I worked that aspect. Once my Google Workspace Gmail started timing out, I worked other Google property websites.) I opened a new tap and tried Gmail (did not load). I opened a new tap and did YouTube (it worked normally). I opened another new tab and tired Google search (it worked normally).
12. After Windows Firewall, Ransomwear Detection, Safe Browsing, Network Threat Protection, Application Control, and Data Loss Prevention aspects / pieces "off" Gmail resumed working / flowing.

(I can share the screenshots if that helps but they are just timeline value.)

Working each setting in Sophos Endpoint Agent then resetting and waiting an hour is not possible during my work day.


Does anyone have any suggestions? For working this Gmail hanging is irritating issue.



added / clarified the Windows 10 Pro OS is 64 bit and Mozilla Firefox is 64 bit versions.
[edited by: Sophos User6096 at 7:12 PM (GMT -7) on 29 Apr 2022]
Parents Reply Children
  • 0 in reply to richard thomas1

    An hour later (no intervening browser restart):

    google.co.uk into the Firefox browser works
    google.com doesn't work


    I.e. the opposite of the original problem. ??

    News.google.com still not working.


    This seems very occult. But it's also useless. Trouble-free  access to google sites is not an esoteric requirement. 

  • 0 in reply to richard thomas1

    Do you think you could catch it with Debug logging enabled. If you open Endpoint Self Help

    This sets the DWORD named LogLevel to 0 under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Logging\NTP\SophosNetFilter.exe

    it seems from a Process Monitor log.

    In a PS prompt you could tail the log file which should now have debugging enabled. I.e. there will be "D" references in the log file before the messages at this level.

    gc "C:\Programdata\Sophos\Sophos Network Threat Protection\logs\SophosNetFilter.log" -wait -tail 1

    From the broken state, if you "hard" refresh the page, is there any useful error message if Firefox still errors?

    If you still have the browser developer tools open, I suppose you could try checking "Disable cache" option.  Just to be sure any error page is not a cached message in some way although it seems odd to cache an error message.

  • 0 in reply to Sophos User930

    On a minority (maybe 25%) of the failed connections to google sites, I get this (probably uninformative?) error message in the browser window

    I tried doing the Debug Logging thing, but I get "Access Denied" in Powershell (after I figured out what "PS" was)

    I'm not knowledgeable about any of this. I'm a solo end user (one man company), not a sysadmin.

    Looking around this forum, there have been reports of this bug  (under various headings) for several months. 

    Thanks for your suggestions. But I think it's going to take someone with better knowledge than me to fix this. 

  • 0 in reply to richard thomas1

    Can you try to set the following flag in firefox? 

    1. Enter “about:config” in the address bar and continue to the list of preferences.
    2. Set the preference "security.enterprise_roots.enabled" to true.
    3. Restart Firefox.

    __________________________________________________________________________________________________________________

  • 0 in reply to richard thomas1

    If you've been migrated from the SAV based web protection to the new version, which seems to be the case as your list of components doesn't include Sophos Anti-Virus, then you should have the process SophosNetFilter.exe running which is responsible for web protection and control.  This should create the log file: "SophosNetFilter.log".


    With Debug logging on it will grow quite a bit quicker.  I was hoping that for the quick page refresh, tailing the log file with PowerShell then stopping it, once the issue had occurred and then Ctrl-C out of the tail command would given you just the logging needed on screen.

    I suppose you could check the file exists.

  • 0 in reply to Sophos User930


    I set  "security.enterprise_roots.enabled" to true. as suggested above and restarted firefox.

    I do have a process SophosNetFilter.exe in Task Manager.

    But searching C:\Prgramdata\Sophos\Sophos Network Threat Protection  finds no file "SophosNetFilter.log". If I search from higher up the file path, still no good.

    Maybe I don't have the right permissions, I can't view the Programdata\Sophos\Sophos Network Threat Protection folder in file explorer, even as administrator.

  • 0 in reply to richard thomas1

    Try to restart the PC again (Not shutdown and boot, instead reboot). It should import the certificate. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you. I seem to have the logging working now. This is the log file for a single click on my Firefox bookmark for google.co.uk (with 0Kb transferred according to Developer Tools):

  • 0 in reply to richard thomas1

    Sorry that print screen didn't get the start of the log - it's longer than my monitor screen - here it is from the start

  • 0 in reply to richard thomas1

    That could be Sophos tamper protection at play.

    Running PowerShell as administrator and running the command:

    gc "C:\Programdata\Sophos\Sophos Network Threat Protection\logs\SophosNetFilter.log" -wait -tail 1

    should work but you could try running the following sequence of commands in that admin PowrerShell prompt to see how far you get along the path, i.e.:

    CD \

    CD Programdata

    CD Sophos

    CD Sophos Network Threat Protection

    CD Logs

    dir

    Can you see the logs?

    In other news, I did get:

    and then....

    The scenario being;

    1. Launch Firefox, type something in the address bar to perform a search.  I switched the default search engine to DuckDuckGo just to see if Google was even significant. This worked all is fine and I can repeat this. All OK.

    2. Tamper Protection is off so I restart the service:

    "Sophos Network Threat Protection"

    This will essentially exit and re-launch the SophosNetFilter.exe process which is used for Web Protection/Control.

    3. If I refresh the page, then I get the above error.

    So I wonder if, for some reason, the SophosNetFilter.exe process is restarting on your computer?

    To test this theory, if you open Windows Task Manager, under the Details tab find the SophosNetFilter.exe process when all is working, make a note of the PID (process id).  Browse away, until you get the issue.  Has the PID of the SophosNetFilter.exe changed?

    ---

    In the SophosNetFilter.log (with Debug logging enabled), I see:

    022-05-01T11:02:44.096Z [36128:65640] D Server Hello SNI lookup: duckduckgo.com - allow: true
    2022-05-01T11:02:44.097Z [36128:94500] E SSL_do_handshake returned SSL error= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=00000185B8682460
    2022-05-01T11:02:44.103Z [36128:94500] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000412:lib(0):func(0):reason(1042)
    2022-05-01T11:02:44.104Z [36128:94500] E Unrecoverable SSL error in input() flowId=87351 side=0 size=24 offset=0
    2022-05-01T11:02:44.106Z [36128:94500] D request disconnect flowId=87351 side=0 flags=65536

    ---

    This made me think of the 5 minute comments. In the current product, when you boot the computer, 5 mins after the Sophos AutoUpdate Service starts (alsvc.exe), the first update occurs, then it goes back to the 1/hr check if all is well.

    If however, there is an issue with a component installing and there has never been a successful update, such that the FeatureHash value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate is not stored, as there is yet to be a successful update.  Then the AutoUpdate product runs the setup plugins of all the components including AutoUpdate, this has the effect of restarting the AutoUpdate service and it enters into a 5 minute update.  

    If this is the case, under C:\windows\temp\ there are installer logs of Sophos being created every 5 minutes?

    I'm just trying to think of a scenario where the SophosNetFilter.exe process is constantly being restarted, and if the NTP component is being re-installed every 5 mins by AutoUpdate that could be one.

    ---

    Interestingly and somewhat expectedly, if I disable in policy:

    Which can be seen at the endpoint:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[policyrevision]\web_protection

    https_decrypt_enabled = 0

    Then if the process is restarted as above, it all works.

    Hopefully you find that for some reason, the SophosNetFilter.exe process is restarting.  We can then focus on that.

Unfiltered HTML