Web-Control Policy does not work

Hi Community,

I have just finished migrating clients from Sophos on-premise management to Sophos central; the license we use is Intercept X Advanced.

According to Sophos Central the Web-Control Policy I created is used for our domain-users. However the blocking just does not work.

Users are able to access, in this case adult websites without any hinderance.

There is no logging in Sophos Central about users accessing these websites although according to the policy those sites should be blocked and a log entry be made.

In Sophos Central and in the Sophos Agent on the respective clients everything lights up green.

I am startung to suspect that maybe other policies might be not working either

Where do I begin troubleshooting ?

Regards

Tobias

Parents
  • I'll assume you are on Windows 10. 

    With the current implementation of web control/protection at the client, which is soon to be replaced in the coming months, the traffic should be redirected from the browser processes, e.g. Chrome.exe, Firefox.exe, msedge.exe to the swi_fc.exe process over loopback.  Swi_fc.exe then makes the outbound connection. This redirection allows the Sophos component to see the requests and make decisions.

    Process Explorer, looking at the TCP/IP tab of swi_fc.exe would be one way to see that swi_fc.exe is busy proxying traffic when the browser processes(s) are open and browsing sites.

    As another test, you could run:

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag_64.exe" & echo %errorlevel%

    The diag process should return 0 when all is well, i.e. the diag process is treated as a browser process and the traffic redirected to 127.0.0.2 and to the port that swi_fc.exe is listening on,  If it returns 1 for example, then you know there is an issue. 0 suggests that the traffic is being redirected to swi_fc.exe and it returned a diagnostic message.

    You could check the drivers/services:

    sc.exe query swi_callout

    This driver performs the WFP redirection. This should always be running.

    sc.exe query swi_filter        (The service that launches that manages the proxy process swi_fc.exe.)
    sc.exe query swi_service   (The service that performs the lookups to Sophos' SXL servers for categorisation.) 
    sc.exe query "Sophos Web Control Service"    (For managing Web control policy)

    tasklist | find "swi_fc.exe"

    To prove that the proxy is running and obtain the PID of the process, you can then run:

    netstat -ano | find "<PID>"

    ...this would show that it is listening on loopback.  You can use Process Explorer for all of this if easier.

    You can use:

    http://www.sophostest.com

    To test the categorisation of sites.

    Importantly, you must force it to be HTTP rather than HTTPS.

    http://www.sophostest.com/phishing is detected by web protection an an example rather than web control.  So it might be worth confirming if web protection is working and it's just web control that isn't working.

Reply
  • I'll assume you are on Windows 10. 

    With the current implementation of web control/protection at the client, which is soon to be replaced in the coming months, the traffic should be redirected from the browser processes, e.g. Chrome.exe, Firefox.exe, msedge.exe to the swi_fc.exe process over loopback.  Swi_fc.exe then makes the outbound connection. This redirection allows the Sophos component to see the requests and make decisions.

    Process Explorer, looking at the TCP/IP tab of swi_fc.exe would be one way to see that swi_fc.exe is busy proxying traffic when the browser processes(s) are open and browsing sites.

    As another test, you could run:

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag_64.exe" & echo %errorlevel%

    The diag process should return 0 when all is well, i.e. the diag process is treated as a browser process and the traffic redirected to 127.0.0.2 and to the port that swi_fc.exe is listening on,  If it returns 1 for example, then you know there is an issue. 0 suggests that the traffic is being redirected to swi_fc.exe and it returned a diagnostic message.

    You could check the drivers/services:

    sc.exe query swi_callout

    This driver performs the WFP redirection. This should always be running.

    sc.exe query swi_filter        (The service that launches that manages the proxy process swi_fc.exe.)
    sc.exe query swi_service   (The service that performs the lookups to Sophos' SXL servers for categorisation.) 
    sc.exe query "Sophos Web Control Service"    (For managing Web control policy)

    tasklist | find "swi_fc.exe"

    To prove that the proxy is running and obtain the PID of the process, you can then run:

    netstat -ano | find "<PID>"

    ...this would show that it is listening on loopback.  You can use Process Explorer for all of this if easier.

    You can use:

    http://www.sophostest.com

    To test the categorisation of sites.

    Importantly, you must force it to be HTTP rather than HTTPS.

    http://www.sophostest.com/phishing is detected by web protection an an example rather than web control.  So it might be worth confirming if web protection is working and it's just web control that isn't working.

Children