Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 15 subscribers
  • Views 1205 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

blocking FQDN with Intercept-X

LHerzog

How can we protect our devices from accessing specific forbidden hosts when they are outside our network - so no longer protected by XG firewall?

I've created a Website Management rule in Central with tags for the recent Autodiscover issue.

This works but only blocks browser based access on windows clients (on MACs it does not even block browsing!).

On Windows I can still access the FQDN autodiscover.to with Outlook and telnet.

I do not want to put the FQDN into hosts file though this would be the safest way.



This thread was automatically locked due to age.
Parents
  • 0

    The current web protection and control feature deals with traffic from a handful of browser processes, e.g. chrome, firefox, msedge, etc. The traffic from these processes, unless an IP exclusion is made, gets redirected to swi_fc.exe for classification and swi_fc.exe connects to the destination.

    Web protection/control doesn't consider traffic from non-browser process.

    Sophos Network Threat protection, deals with non-browser processes, e.g. Outlook.exe for example connecting to classified bad site by using a an SXL lookup via SSPService.  This is your standard C2 detection stuff, i.e. Sophos classifies and IP/Domain as being a known C2 server, any process connecting to it will flag.

    You then also have the Snort engine which is also doing network scanning.

    This sounds like more of a firewall request.

    EDR/XDR IP data (LiveRequest) will allow you to search to find if a process has made a connection to a given IP or a DNS request has been made for the domain.

Reply
  • 0

    The current web protection and control feature deals with traffic from a handful of browser processes, e.g. chrome, firefox, msedge, etc. The traffic from these processes, unless an IP exclusion is made, gets redirected to swi_fc.exe for classification and swi_fc.exe connects to the destination.

    Web protection/control doesn't consider traffic from non-browser process.

    Sophos Network Threat protection, deals with non-browser processes, e.g. Outlook.exe for example connecting to classified bad site by using a an SXL lookup via SSPService.  This is your standard C2 detection stuff, i.e. Sophos classifies and IP/Domain as being a known C2 server, any process connecting to it will flag.

    You then also have the Snort engine which is also doing network scanning.

    This sounds like more of a firewall request.

    EDR/XDR IP data (LiveRequest) will allow you to search to find if a process has made a connection to a given IP or a DNS request has been made for the domain.

Children
  • 0 in reply to Sophos User930

    Hi,

    thanks for your answer. Corporate Firewall in HQ is only one layer of defense here.

    Sophos should be aware, that client computers are at highest risk when they are traveling and are in untrusted networks. If one is blocking autodiscover to your corporate network or your autodiscover is inavailable due to other technical reasons when you're in a hotel, your client will most likely connect to autodiscover.TLD and expose credentials.

    Intercept X should really be able to block FQDN not only in browsers.

Unfiltered HTML