Sophos Intercept X 2.0.22, Endpoint 10.8.11.1 conflicts with WFP driver

Hello Sophos Team, I am running a trial version of Sophos Endpoint. The version numbers are mentioned in the subject line. I am developing a WFP based windows driver the purpose of which is to identify packets associated with certain applications and based on application type enforce a certain policy. For this I have a callback registered at FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 to look at the first TCP segment going out. In the callback function I absorb (FWPS_CLASSIFY_OUT_FLAG_ABSORB) the original packet, pend classifcation by calling FwpsPendClassify and set the actionType field of classifyOut structure to FWP_ACTION_BLOCK. I then defer the process identification part in a work item. Once the work item is complete the absorbed packet is forwarded without any modification and I complete the pending classification calling FwpsCompleteClassify. Though I havent given all the API calls and how i use them, the driver worked perfectly until I installed Sophos endpoint.

I see that the packets are being sent out by my driver after process identification, however the Sophos Web Security component drops packets destined for port 443. Why is this happening? If I uninstall sophos the traffic to port 443 flows through fine, or in my driver if I remove the pend/classify code the traffic flows through fine. But removing the pend/classify operation is not an option because decisions are made in my driver based on the application that originated the packet and so I have to pend classification. Clone/Re-inject does not work either because the sophos driver drops these packets.

Is there a work around for this? If there is any logs or extra information that you need I can provide them.

Regards,

Winny

Parents
  • I understand that there are 2 components of Sophos IX that use WFP: Network Threat Protection (NTP) and Sophos Web Protection and Control which is part of the Sophos Anti-Virus (SAV) component.

    The purpose of SAV's usage of WFP is to redirect traffic from browser processes, iexplore.exe, chrome.exe etc.. to swi_fc.exe in order to classify traffic. Swi_fc.exe is essentially a proxy launched by the swi_filter service. To do the redirection the swi_callout.sys driver (swi_callout service/driver name) is used. 

    If the destination IP/subnet is excluded in policy, the traffic goes straight out and is not re-directed through swi_fc.exe

    Filters.xml create by running "netsh wfp show filters" shows the 3 entries for Sophos Web Intelligence "swi".

    If you disable Tamper Protection and maybe run:
    sc.exe stop swi_filter
    sc.exe stop swi_callout
    taskkill /F /IM swi_fc.exe    (or close all browsers to remove all connections via swi_fc.exe it will exit)
    Does your app work then?  Can you say for sure the issue is with SAV rather than NTP features?

    In case it's helpful - for Windows 7/2008R2, this feature is implemented as a LSP, so not WFP. 

    Interestingly, for the Central Managed client, SAV is soon to be removed from the solution and the web protection/control feature will be moved into NTP.  This will remove the redirection and I assume could solve your issue. It should be enabled in the Early Access Program build soon if not already.  Important Changes to the Endpoint/Server Protection and EDR Features Early Access Program - Announcements - Endpoint EAP - Sophos Community 

Reply
  • I understand that there are 2 components of Sophos IX that use WFP: Network Threat Protection (NTP) and Sophos Web Protection and Control which is part of the Sophos Anti-Virus (SAV) component.

    The purpose of SAV's usage of WFP is to redirect traffic from browser processes, iexplore.exe, chrome.exe etc.. to swi_fc.exe in order to classify traffic. Swi_fc.exe is essentially a proxy launched by the swi_filter service. To do the redirection the swi_callout.sys driver (swi_callout service/driver name) is used. 

    If the destination IP/subnet is excluded in policy, the traffic goes straight out and is not re-directed through swi_fc.exe

    Filters.xml create by running "netsh wfp show filters" shows the 3 entries for Sophos Web Intelligence "swi".

    If you disable Tamper Protection and maybe run:
    sc.exe stop swi_filter
    sc.exe stop swi_callout
    taskkill /F /IM swi_fc.exe    (or close all browsers to remove all connections via swi_fc.exe it will exit)
    Does your app work then?  Can you say for sure the issue is with SAV rather than NTP features?

    In case it's helpful - for Windows 7/2008R2, this feature is implemented as a LSP, so not WFP. 

    Interestingly, for the Central Managed client, SAV is soon to be removed from the solution and the web protection/control feature will be moved into NTP.  This will remove the redirection and I assume could solve your issue. It should be enabled in the Early Access Program build soon if not already.  Important Changes to the Endpoint/Server Protection and EDR Features Early Access Program - Announcements - Endpoint EAP - Sophos Community 

Children
  • Before posting the query, as part of my debugging, I tried all the step you recommend except the "taskkill" command. I know the WFP filters installed by Sophos and I know this happens from the web proxy that inspects HTTPS. Ideally I would want to have my driver run without any conflicts with Sophos, because a user of my driver may prefer to have both running without conflicts. For testing purposes I did try to  stop the web service component to see if traffic worked with both my driver and Sophos present. But the problem is that these Sophos drivers/services cannot be stopped even from an elevated prompt. Here is the output when I tried to stop the driver with admin privilege

    C:\WINDOWS\system32>sc stop swi_filter
    [SC] ControlService FAILED 1052:

    The requested control is not valid for this service.


    C:\WINDOWS\system32>sc query swi_filter

    SERVICE_NAME: swi_filter
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 4  RUNNING
                                    (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0

    C:\WINDOWS\system32>

    I tried "taskkill" as you recommended. But I gives an access denied message.

    Excluding the destination IP/subnet is not an option. I am trying to identify at the WFP layer the application name that originated a packet and then enforce a policy for the application. The destination IP address is not of concern in what I am trying to develop. For example if I want to apply a policy for msedge I cant create an exclusion policy for all possible websites a user visits.

    I have to get this working for Windows 10. You mentioned in your response that the redirection feature of Sophos will be removed in a future release. Do you have any idea how long that could take? Do note I am using a trial version. So some of the controls may not be in place

    Thank you for helping

    Regards,

    Winny

  • I assume the access denied and the service being in a non stoppable state is due to tamper protection. If you disable tamper and wait up to 1 minute you should be able to stop the service.