Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

How to avoid risky download warnings on intranet in Sophos Central Endpoint Protection

Can't add a reply to an old question, so hopefully this helps....

I was happy with a warning when trying to download an EXE or JAR file etc from the internet, to help protect users, but was not wanting this when trying to download our own JAR files from internal intranet (like from our own nexus repository).

The fix, coming off of what someone said on https://community.sophos.com/intercept-x-endpoint/f/discussions/109716/add-multiple-websites-simultaneously-to-global-exclusions

was to go into Sophos Central Admin -> Endpoint Protection -> Policies, and under Threat Protection, I'd created my own policy, and inside that Settings->Exclusions you can add an exclusion for your IP subnet, such as 10.192.150.0/24 or 192.168.0.0/24

You can also do in the Global Exclusions, but having it in your own policy probably is better.

(hopefully in the correct forum/discussion now! sorry for the duplicate)

Parents
  • IP exclusions prevent the browser traffic being redirected to swi_fc.exe and out.  swi_fc.exe is the local proxy process that classifies web traffic as malicious and for the control functionality, i.e. category. 

    If you have an explicit internal proxy, if you exclude that (either explicitly or as part of the subnet) then you might not scan anything so worth bearing in mind :) 

    Download reputation, for the browsers that support the IOfficeAntiVirus, is still taking place, i.e. scanning of files once they are downloaded.

  • Thanks.

    We're developing software, and the release JAR packages go into our local Nexus repository server (on our own internal intranet) so the annoying thing is when then obtaining our own JAR file when clicking on the link to grab it (before deployment to a server etc) is it warns us about our own JAR file.  Ditto for our VStudio/EXE software.

    This is also why I needed to find an alternative to just changing the Web Control -> Java Archive (jar) to "Allow".  This would not then warn for anything downloaded from the internet which obviously is a LOT more risky!

    Not sure how else we can WARN/BLOCK for internet stuff, but yet ALLOW for internal intranet files.

    So it's like if you download from dodgy-site.com/.../dodgy.jar it would hopefully warn, but for our-server.ournetwork.local/.../cool-application.jar then it would allow without warning.

    There didn't seem to be a way to whitelist our own internal network other than doing this, and hoped this would help others.

    I'm happy to be pointed at a better solution!

    Cheers,

    Barry.

Reply
  • Thanks.

    We're developing software, and the release JAR packages go into our local Nexus repository server (on our own internal intranet) so the annoying thing is when then obtaining our own JAR file when clicking on the link to grab it (before deployment to a server etc) is it warns us about our own JAR file.  Ditto for our VStudio/EXE software.

    This is also why I needed to find an alternative to just changing the Web Control -> Java Archive (jar) to "Allow".  This would not then warn for anything downloaded from the internet which obviously is a LOT more risky!

    Not sure how else we can WARN/BLOCK for internet stuff, but yet ALLOW for internal intranet files.

    So it's like if you download from dodgy-site.com/.../dodgy.jar it would hopefully warn, but for our-server.ournetwork.local/.../cool-application.jar then it would allow without warning.

    There didn't seem to be a way to whitelist our own internal network other than doing this, and hoped this would help others.

    I'm happy to be pointed at a better solution!

    Cheers,

    Barry.

Children
No Data