Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Endpoint protection blocking local server... why?

I've seen this problem before and now I am facing it again. I had to completely uninstall endpoint protection in order to access a local ubuntu virtual server I recently turned up via ping, ssh, https, or webmin (port10000). When the server was created on the local network I was able to access it for about 48 hours and then nothing. The nothing part is what bothers me. I could access the server from my UTM or any other device that did not have endpoint protection installed. I still can, in fact. But on desktops or servers with the endpoint installed, no luck. Worst of all, I can't find anywhere a log entry being made regarding the attempt to access an apparently forbidden ip address. I've tried disabling the endpoint but that is as frustrating as no log data. Much easier to just delete the damn thing to confirm it is the issue.

When this sort of problem occurs where am I supposed to go to find the root cause so I can address it?

  • So much help that I am overwhelmed! I'm no longer impressed, nor of a mind to recommend endpoint protection as a viable solution to my peers.

    After unistalling and reinstalling endpoint protection I can now access the server on my local network. Of course no explanation why, no evidence to be found in windows logs or Sophos logs. And yes, I had rebooted the desktop prior to removing the Sophos endpoint protection and it made no difference. The only way I figured out Sophos was the guilty party was making a list of the devices that could or could not see the local server, then looking for the common feature among them. 

  • To clarify - how are you trying to access the server? Is this through a mapped drive? A file explorer routing? 

    Is this a file share? SMB mount?

    RichardP

    Snr. New Product Introduction Engineer | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi ,

    Fist things first, what was the rule of this virtual server? Was is only a normal shared drive or it has an application on it which needs to be access on the machines? 
    was the Ping from the machine where sophos endpoint is going through when you ping the virtual server or no? 

    GlennSen 
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • This was/is a webserver in my vmware cluster. I was merely trying to manage the server via ssh or webmin, to prepare it for loading an internal website. It was/is in the same local subnet and physical/virtual network as my desktop. As far as the desktop was concerned the target ip was not found. I am trying to understand what impact endpoint protection had, and where it would have recorded anything about the issue.

  • the endpoint software doesn't intercept RDP traffic - only web browser traffic. Do packet capture on the external of the endpoint and the server when you are attempting to connect - see what traffic is being sent. 

    Also, you need to check your routing table on the machine. You saw it is the same subnet but are you connected into the same switch or are you transiting across a trunk?

    RichardP

    Snr. New Product Introduction Engineer | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.