This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X Advanced doesn't block Risky file types

Hi,

Does anyone else experience similar issue of Intercept X Advanced endpoint not blocking any type of risky files from websites (when trying download them) despite policy enforcement? 



This thread was automatically locked due to age.
Parents
  • I made some tests and it looks like those policies only works on HTTP sources but not from HTTPS, which nowadays is a standard, so am I missing something or Sophos doesn't block anything from secure sources? That would be really bad Disappointed

  • The current version of web protection/control (part of SAV) does not crack open and inspect HTTPS traffic at the endpoint.  It does not have access to the content to see the type when HTTPS is used.  It can block HTTPS domains using the SNI value in the handshake, this is why web control works generally, i.e. domains being classified as category a, etc. Website block/allow lists.

    Apparently the new version of web protection/control that is coming to an EAP soon will do inspection at the endpoint.  At that time it will be able to classify types over HTTPS.

  • Well, this is quite bizarre because as far as I remember most of modern AV can scan full HTTPS content nowadays. It looks like we will have to move away from Sophos and look at some alternatives then.

  • The XG can do it at the gateway and you have to distribute certs to the endpoints.

    As far as I know, the new endpoint version will be available in a month or two.

    Is it for the "control" aspect?  I.e. you want it primarily to block exe/dll/jar/etc files from being downloaded?

    Sophos makes use of IOfficeAntiVirus to scan and perform reputation checks on files on download from the browsers that support it.  The realtime scanner will detect anything malicious on write before execution. 

  • That's correct, ideally I need to block them from downloading for standard user accounts. Thank you for you answer, let's hope that Sophos will release new AV version soon.

  • If you have standardised on a browser. I suppose there is always the policy of the browser you might be able to use, e.g support.google.com/.../7579271

Reply Children