Web Control - Block downloads of exe's not working

I assume it is fine for HTTP but not for HTTPS.  The current shipping version only supports HTTP for this part of the solution.

I assume it is fine for HTTP but not for HTTPS.  The current shipping version only supports HTTP for this part of the solution.

Given the info here:
Important Changes to the Endpoint/Server Protection and EDR Features Early Access Program - Announcements - Endpoint EAP - Sophos Community

maybe the EAP works.  I've not tried it yet.

It should work fine for HTTPS. However what I recently found out was, that when the QUIC protocol is used (i.e. with Chrome and a Webserver supporting QUIC), it seems to bypass WebControl.

The current version relies on obtaining the SNI from the handshake to know the domain when the site is served over HTTPS.  It can use this to classify sites so blocking malicious sites and classifying sites works.  The problem here is with the blocking of file types via HTTPS which isn't something the proxy can "see" as the traffic is not decrypted at the endpoint.  It can scan the file as it's written to disk and can be scanned as part of download reputation for the browsers that support that feature

Right, I missed the exe part. You are absolutely correct about, I was only thinking of hostnames, not of other parts of the URL.

Thanks.  We use Kaspersky now to do this for a few years now and it works very well with HTTPS.  We will hold off for a while and try Sophos again down the road. 

Once I see it working I'll try and remember to update this thread.  Thanks