Sophos Intercept X - Events tab shows access to a url blocked

I have SOPHOS (Intercept x - 2.0.17) - installed in my company laptop running on Windows 10. Off late there was a spike in Proxy & Translators events logging about 11K in a day for a certain website. However, I am unable to trace which process/application is trying to access the url which is blocked. I could not find in the browser (chrome) history or the developers tools to pin point the source of such calls. Attached is the event log from Sophos. The mentioned website just shows a Thank You message when opened from browser. Kindly advise how can I determine which process or application is triggering that or any pointers. I verified all the logs in SOPHOS included the SAV.txt but do not find this entry anywhere.

Parents
  • Hello,

    Well for the web control/web protection feature, you will find entries in the logs here: %ProgramData%\Sophos\Web Intelligence\Logs\. 

    If you also see the urls in question here and you should as it is a control event given the icon, then the processes that are filtered are:

    iexplore.exe, chrome.exe, opera.exe, msedge.exe, etc..

    The web traffic from these processes, if web protection and/or control is enabled is redirected through swi_fc.exe so it would have to be one of the above browser processes at least by name.

    I'm not sure if you have an EDR licence but if you're really struggling you can use the query:

    select * from  sophos_ip_journal where redirectionstate=1;

    to show you all traffic that has been redirected by WFP, which is what Sophos endpoint web protection/control uses.  You could then use the sophosPID column and maybe the originalDestination address to work it out.  

    Regards,

    Jak

Reply
  • Hello,

    Well for the web control/web protection feature, you will find entries in the logs here: %ProgramData%\Sophos\Web Intelligence\Logs\. 

    If you also see the urls in question here and you should as it is a control event given the icon, then the processes that are filtered are:

    iexplore.exe, chrome.exe, opera.exe, msedge.exe, etc..

    The web traffic from these processes, if web protection and/or control is enabled is redirected through swi_fc.exe so it would have to be one of the above browser processes at least by name.

    I'm not sure if you have an EDR licence but if you're really struggling you can use the query:

    select * from  sophos_ip_journal where redirectionstate=1;

    to show you all traffic that has been redirected by WFP, which is what Sophos endpoint web protection/control uses.  You could then use the sophosPID column and maybe the originalDestination address to work it out.  

    Regards,

    Jak

Children
No Data