I have just finished migrating clients from Sophos on-premise management to Sophos central; the license we use is Intercept X Advanced.
According to Sophos Central the Web-Control Policy I created is used for our domain-users. However the blocking just does not work.
Users are able to access, in this case adult websites without any hinderance.
There is no logging in Sophos Central about users accessing these websites although according to the policy those sites should be blocked and a log entry be made.
In Sophos Central and in the Sophos Agent on the respective clients everything lights up green.
I am startung to suspect that maybe other policies might be not working either
Where do I begin troubleshooting ?
I'll assume you are on Windows 10.
With the current implementation of web control/protection at the client, which is soon to be replaced in the coming months, the traffic should be redirected from…
Thank you for reaching out to the Sophos Community.
I recommend checking from Sophos Central to see the user that is detected as "Logged in" on the affected device. Ensure that the user as shown is listed in the policy you've defined for Web Control.
Sophos Endpoint will create a User Entry based on the logged-in user, which can sometimes affect how policies get applied.
Another way you can find out is by using the following navigation. - Open the "Devices" list- Select the device in question - Navigate to the "Policies" tab under the device- Verify that the desired "Web Control" policy is shown here
This UI will change based on the resulting policies that are applied to the endpoint.
If you can confirm that the correct policy is being applied, but the endpoint does not block websites as expected, let me know by updating this thread, and I can request logs and or remote assistance to take a closer look.
I verified, that the user to whom the policy is bound is indeed logged on to that PC.
Also, I verified, that the Web-Control policy I created is shown under Devices -> Polciies.
Furthermore, I found, that a scheduled scan I set up on a user defined Threat Protection policy, I bound to a computer group where the client in question is a member of did not take place. However this policy is also shown under Devices -> Policy. Therefore, I assume that this policy is also not active on the client.
Please let me no what furthor information you nedd to pin down this issue.
Policies are collections of settings that you create, configure, and apply, then enforce. Most policy settings correspond to settings that you configure in the Endpoint Security Client. Other policy settings are the primary interface for configuring the software.
I have reached out via DM to inquire further into your issue.
With the current implementation of web control/protection at the client, which is soon to be replaced in the coming months, the traffic should be redirected from the browser processes, e.g. Chrome.exe, Firefox.exe, msedge.exe to the swi_fc.exe process over loopback. Swi_fc.exe then makes the outbound connection. This redirection allows the Sophos component to see the requests and make decisions.
Process Explorer, looking at the TCP/IP tab of swi_fc.exe would be one way to see that swi_fc.exe is busy proxying traffic when the browser processes(s) are open and browsing sites.
As another test, you could run:
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag_64.exe" & echo %errorlevel%
The diag process should return 0 when all is well, i.e. the diag process is treated as a browser process and the traffic redirected to 127.0.0.2 and to the port that swi_fc.exe is listening on, If it returns 1 for example, then you know there is an issue. 0 suggests that the traffic is being redirected to swi_fc.exe and it returned a diagnostic message.
You could check the drivers/services:sc.exe query swi_callout
This driver performs the WFP redirection. This should always be running.
sc.exe query swi_filter (The service that launches that manages the proxy process swi_fc.exe.)sc.exe query swi_service (The service that performs the lookups to Sophos' SXL servers for categorisation.) sc.exe query "Sophos Web Control Service" (For managing Web control policy)
tasklist | find "swi_fc.exe"To prove that the proxy is running and obtain the PID of the process, you can then run:
netstat -ano | find "<PID>"
...this would show that it is listening on loopback. You can use Process Explorer for all of this if easier.
You can use:
To test the categorisation of sites.
Importantly, you must force it to be HTTP rather than HTTPS.
http://www.sophostest.com/phishing is detected by web protection an an example rather than web control. So it might be worth confirming if web protection is working and it's just web control that isn't working.
I removed all policies I created and went back to the base policies.
These seem to work.
Therefor I modified the base policies according to my customer's needs. Web Control and scheduled scans are working as expected; I checked it using Sophos User 930's guidance.