Recently I've had to investigate how people have been bypassing XG and Endpoint filters, the XG was simple to fix however the Endpoint (intercept x advanced) has proven problematic.
The biggest offender is CroxyProxy, which runs a web based proxy. The site itself is blocked, however when you use it it then generates URLs via other domains which are not categorised at all.
For example, discord is blocked but staff seem to use their home computers in the evenings to use CroxyProxy to generate the URL of https://msmedia.surf/?__cpo=aHR0cHM6Ly9kaXNjb3JkLmNvbQ and sometimes that link is replaced with random numbers with a .online TLD, or another .surf address.
As there are so many of them it's just impossible to keep track of do manual blocks all the time.
Also we don't get the blocked message on the endpoint, we only see the below.
Hmmm… can't reach this page Check if there is a typo in msmedia.surf.If spelling is correct, try running Windows Network Diagnostics.DNS_PROBE_FINISHED_NXDOMAIN
Sometimes we recieve
domain.xyz sent an invalid response.
For reference, XG filtering was fixed by blocking the category 'none' and 'parked domains' - something we don't get in endpoint filtering for protecting devices when working remotely.
Any ideas on fixing this for good?
The most up to date information on EAP releases and updates can be found on the following forum page. - Intercept X Endpoint > Early Access Programs > Endpoint EAP > Announcements
Here you will find…
Thank you for reaching out to the Sophos Community.
I'd like to ask if you have specified the "Block" option for "Uncategorized" websites in the "Web Control" policy?
You may need to change the setting next to "Additional Security Options" in the Web Control Policy to allow you to change the settings for "Uncategorized" websites.
If you continue to face issues after making these changes, I recommend enrolling one of the devices in the current "Early Access Program" for endpoints titled "New Endpoint Protection Features". The EAP program includes some changes to Web Control which allow the endpoint to perform deeper inspection of web-traffic for better filtering.
Let me know what your findings are.
Yes I have done and I believe it's helped however some of these sites were classed as 'Business' and allowed so I still had to check each one and put a block on them.
Is there any extra information on the EAP you speak of?
Here you will find announcements from our Product team to keep customers informed of the latest additions to Sophos Antivirus.
The announcement that will be most relevant to you is "SSL/TLS decryption of HTTPS websites".
Thanks very much, I'm testing out the EAP ssl decryption features myself before looking to roll it out.
Thanks very much