Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 15 subscribers
  • Views 1113 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible data leak by Web Control process

Sophos User3920

From what I understand the swi_fc.exe-process is there to check and filter outgoing HTTP(S)-connections and it does that by establishing a local connection to the requesting process (e.g Chrome, Firefox) and then establishing a connection to the remote host and forwards the data.

There seems to be the problem that the local connection isn't throttled to the speed of the connection to the remote host.
So the swi-fc.exe-process is caching the data at a quite high speed and forwards it to the remote host at the speed of the available network bandwidth. The forwarding continues if the transmission is cancelled by the requesting process (browser) and even if the browser is closed.

I witnessed this while supporting a remote site coworker and was able to reproduce it on multiple machines and a number of browsers (Firefox, Crome, Edge)
I'm not sure if the problem lies within Sophos or in the Windows Filtering Platform (which seems to be the interface here).
I tried to file this by support case but I'm stuck in 1st level support there.

Reproduction

Setup:

  • Windows 10 Enterprise (build 19042.844)
  • Firefox 86.0
  • Sophos Endpoint Protection 10.8.10.3
  • File sharing feature of a QNAP NAS
    -> For reproduction you need a server that supports file uploads via single POST-requests and a quite slow upload speed (~10Mbit) from the client to the server.

Steps:

  • start uploading a quite large file (~1GB) to the cloud storage
    -> the local transmission is way faster than the remote
  • wait until Firefox tells you that the upload is almost complete
  • cancel the upload in Firefox
  • check the the file isn't available on the cloud server
    -> the transmission continues in background
  • close Firefox
    -> the transmission still continues in background
  • -> Some time (~15min) later the file will be available on the cloud server.

When the upload is canceled in Firefox and even when Firefox is closed there shouldn't be any background transmission anymore.

The problem i see here is that someone unintentionally starts to upload a private file, notices the mistake, and cancels the upload. After that he might be confident that no data was uploaded. But he isn't aware that the upload is still running and the data will be published later.

Another problem is the usage of bandwidth that can't be aborted.



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML