Add an exception for "Network Threat Protection"

Question

Hi guys, 
 on our Windows 10 clients we are using Sophos Intercept X Advanced, managed in Central. 
 We are having some problems when using a specific VPN client (ShrewSoft). After some testing we were able to figure out that "Network Threat Protection" is blocking the application. If we switch NTP off then everything is working fine. 
 I did quite some reasearch and googling but unfortunately couldn't figure out how to add an exception for an application in NTP. 
 Any help is appreciated! 
 Thanks in advance!

Sophos User930 · Accepted Answer

From a new architecture perspective - Service and Support (sophos.com) , as I mentioned, NTP provides many different layers of protection. 
 The service "SophosNTPService.exe", launches the child processes responsible for IPS and Web Protection and Control. 
 
 IPS is defined in the Threat Protection policy: 
 
 So if this policy option is disabled, the SophosIPS.exe process will not run. 
 SophosNetFilter.exe implements web protection and control, this is split between 2 of the policies: 
 
 Threat Protection

Downloads in progress is scanning the content before it hits the browser and malicious website blocking is making a SXL4 lookup to the cloud to check the site is "OK". SSPService.exe maintains the connection to the SXL4 servers for these lookups.

Web Control

This is more of a control than protection feature.

So if you disable these 3 options in the 2 policies, then the SophosNetFilter.exe process will not start. 
 There is also the download rep feature, as defined in the Threat Protection policy near to web protection: 
 
 This is the browser process (those that support iOfficeAntiVirus ) loading the DLL: 
 
 64-bit browser process: "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x64\sophosofficeav.dll" 
 32-bit browser process: "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\ sophosofficeav.dll" 
 
 This can show the user that the file isn't commonly downloaded/seen, hence the reputation. This isn't really an "active" component but the DLL is used on demand when the browser's download manager requests the scan. 
 As the top screenshot shows, the NTP service, also performs the heartbeat functionality. 
 NTP is also responsible for reporting network events into the behavioural engine 
 
 If I suspected an issue with NTP, I would start by disabling IPS and Web Protection and Control to end the SophosIPS.exe and SophosNetFIlter.exe processes and go from there.

Sophos User930 · Answer

It is worth mention, the NTP component has a few features. 
 
 IPS 
 Web Protection and Control (in the new endpoint version, i.e. the one without SAVService.exe which is part of SAV) 
 Heartbeat 
 C2 connection. 
 
 If you make a real-time scanning exclusion for say "C:	est	est.exe" in the Threat protection policy (or global exclusions), then this will be picked up by NTP. This process will not be checked for connections to command and control servers. You will see the entry in "C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml" at the client. Does that help?

Add an exception for "Network Threat Protection"

Top Replies