Sophos Central Endpoint Protection - Windows Firewall conflict?

Hi Jason Klein,

Please have a look at the available Sophos Central - Windows Firewall Control connection types. 

Can you provide more info regarding what is happening? Screenshots of the issue, Windows and Sophos versions would be great.

Thanks!

Hi Jason Klein,

Please have a look at the available Sophos Central - Windows Firewall Control connection types. 

Can you provide more info regarding what is happening? Screenshots of the issue, Windows and Sophos versions would be great.

Thanks!

Hi Barb,

Windows 10 x64 on the Client

Sophos Core Agent 2.0.5

Endpoint Standard 10.8.1.2

Intercept X : no

Encrypted: no

Sometimes after some seconds or some hours Windows turns of the Firewall:

--->

After reactivation some time later it fails again. The Moment i delete the Sophos Endpoint Client from the System the error disapears.

Regards

Jason

Hi Jason Klein ,

I am not seeing any related issues. What's your Windows build and version (Pro, Enterprise? ... build number 1809? 1803? )? 
Did you get a chance to review the previous documentation to set up the Windows Firewall? (There is an advanced entry regarding it that might help). 

Otherwise, can you please check the Windows Event Viewer for any Firewall messages? 

I know you have mentioned several times that the issue happens randomly, but, if you get a chance see if you can reproduce it by, say starting a system scan. 
Also, does the issue go away if you turn off all the Sophos protections on the endpoint? (Please only do this for testing purposes, and be sure to re-enable them after testing). 

Thanks,

Hello!

I'm having the issue and it is reproducable on multiple Computers.

Version information:

Windows 10 1803 (Build 18134.407)

Core Agent 2.1.4

Endpoint Advanced 10.8.2.344

Siphos Intercept X 2.0.10

Device Encryption 1.4.103

When I Klick "Restore Settings" in "Defender Security Center"

The following Events are generated in "Applications and Services Logs\Windows\Windows Firewall With Advanced Security\Firewall" Eventlog:

1. 
Windows Defender Firewall has been reset to its default configuration.

then about a Minute later:

2.
A Windows Defender Firewall setting in the Domain profile has changed.
New Setting:
Type: Enable Windows Defender Firewall
Value: Ja
Modifying User: SYSTEM
Modifying Application: C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe

and a bunch of similiar Events. You can get examples here: https://netlogix.sharefile.com/d-sc47f1db308f46a0b  in this example I clicked "Restore Settings" at 9:28:14

Thanks for any help in advance. :)

I noticed myself after further investigation, that Sophos (mcsAgent.exe) sets the default inbound Action for all Windows Firewall Profiles to ALLOW, which is not secure, so Windows Defender Security Center raises an alarm.

Can you change this behaviour, so that mcsAgent.exe does not change the default inbound action? Why is this?

Hi Sebastian,

Please, have a look at this article: Sophos Central - Windows Firewall Control connection types

GPOs may affect the behavior as well: 
Sophos Central - Windows Group Policy settings may affect Windows Firewall policy application 

To check your current Windows Firewall Central policies, please review this document

If your settings are fine and you are still experiencing issues, I would recommend to file a case with support for further investigation. If you do this, please send me a private message with the ticket number so that I can follow-up. Thanks!

Regarding feature requests, you can access them here. 

Please, let us know how it goes. 

Works. Changed the Policy in Sophos Central to "Block [with exceptions]" and everything works like a charm. Thank you!