This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint web categorisation failures, SSL errors on blocked sites

Hello!

Recently I've had to investigate how people have been bypassing XG and Endpoint filters, the XG was simple to fix however the Endpoint (intercept x advanced) has proven problematic.

The biggest offender is CroxyProxy, which runs a web based proxy. The site itself is blocked, however when you use it it then generates URLs via other domains which are not categorised at all.

For example, discord is blocked but staff seem to use their home computers in the evenings to use CroxyProxy to generate the URL of https://msmedia.surf/?__cpo=aHR0cHM6Ly9kaXNjb3JkLmNvbQ and sometimes that link is replaced with random numbers with a .online TLD, or another .surf address.

As there are so many of them it's just impossible to keep track of do manual blocks all the time.

Also we don't get the blocked message on the endpoint, we only see the below.

Hmmm… can't reach this page Check if there is a typo in msmedia.surf.
If spelling is correct, try running Windows Network Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN

Sometimes we recieve 

domain.xyz sent an invalid response.

  • Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

For reference, XG filtering was fixed by blocking the category 'none' and 'parked domains' - something we don't get in endpoint filtering for protecting devices when working remotely.

Any ideas on fixing this for good?

Thanks



This thread was automatically locked due to age.
Parents
  • Hello Ian, 

    Thank you for reaching out to the Sophos Community. 

    I'd like to ask if you have specified the "Block" option for "Uncategorized" websites in the "Web Control" policy? 

    You may need to change the setting next to "Additional Security Options" in the Web Control Policy to allow you to change the settings for "Uncategorized" websites. 

    If you continue to face issues after making these changes, I recommend enrolling one of the devices in the current "Early Access Program" for endpoints titled "New Endpoint Protection Features". The EAP program includes some changes to Web Control which allow the endpoint to perform deeper inspection of web-traffic for better filtering. 

    Let me know what your findings are.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hello Ian, 

    Thank you for reaching out to the Sophos Community. 

    I'd like to ask if you have specified the "Block" option for "Uncategorized" websites in the "Web Control" policy? 

    You may need to change the setting next to "Additional Security Options" in the Web Control Policy to allow you to change the settings for "Uncategorized" websites. 

    If you continue to face issues after making these changes, I recommend enrolling one of the devices in the current "Early Access Program" for endpoints titled "New Endpoint Protection Features". The EAP program includes some changes to Web Control which allow the endpoint to perform deeper inspection of web-traffic for better filtering. 

    Let me know what your findings are.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children