This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firefox (especially Gmail) cannot complete some requests: no responses are returned (zero bytes), assume that because of Endpoint Agent

It is almost impossible to use Gmail (mail.google.com) in Firefox. There are no problems in Chrome on the same machine.

In the browser developer console / Network tab I see some requests are without responses (zero bytes responses). Some with SSL_ERROR_BAD_MAC_ALERT

GMail app constantly shows yellow warning: "Ups... the system encountered a problem. Retrying in ..." .  "Retry now" link doesn't help.

Similar errors discussed recently: https://community.sophos.com/sophos-central/f/discussions/133650/ssl_error_bad_mac_alert-pr_end_of_file_error



This thread was automatically locked due to age.
Parents
  • Restarting the browser helps. But problem could re-appear just in 5 minutes!

  • Is this Windows?

    I assume this behaviour has to be related to web protection and control, is that the case? 

    If it's Windows, do you have a process called SophosNetFilter.exe?  If so, you are using "modern web" and the new endpoint architecture which is capable of HTTP decryption.

    The question then is, do you have HTTP decryption enabled?  At the client you can check in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection

    https_decrypt_enabled = 1 or 0

    To rule out Web Protection and Control, you can disable web protection and control by disabling in the Threat Protection policy:

    and if you have Web Control enabled in the Web Control policy you can disable that. Once the policy arrives at the client, the SophosNetFilter.exe process will terminate.

  • I see process SophosNetFilter.exe.

    In the c:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log I see lots of HTTPS URLs. This means Sophos decrypt secure connections from browser...

    https_decrypt_enabled is 1.

    I see 2 other options that might correspond to mentioned UI elements: web_filtering_enabled & web_scanning_enabled

    I'm not sure if my admin will be happy with disabling: from the documentation it is about restricting access to Leisure/Social sites.

    Neither me nor admin can confirm that Sophos is culprit of broken GMail: we cannot find traces that exactly Sophos blocks access to some Google's URLs...

    Google Translate is in the list of forbidden sites, probably there are some policies that effects some Google's offerings. Documentation refers to so called "web site categories" - some category could damage Corporate GMail offer.

    If Chrome works fine that means Sophos agent trusts that browser and doesn't interfere with it operation... It is pity that only Firefox suffers...

  • As a test, I would ask the Sophos admin to create a new Threat Protection policy and link it to either your computer or user.  In that policy disable decryption:

    https_decrypt_enabled will get set to 0.  Do you see the same issue?  At least you'll know this feature is of interest.

    It is worth mentioning that in the global settings, the default is:

    I.e. Web-based email category websites aren't decrypted by default but it could be a resource from a domain that isn't classified as such?

    In any case, ruling decryption in/out as the issue is probably the first test.

  • Thx! We will try it in a meantime.

    Just now I found Sophos certificate in the Firefox developer console / Network Tab. It is on some failed requests but not all: majority requests has Google's certificates. So Sophos intercept only part of requests. That could explain why the problem is volatile, not permanent.

Reply
  • Thx! We will try it in a meantime.

    Just now I found Sophos certificate in the Firefox developer console / Network Tab. It is on some failed requests but not all: majority requests has Google's certificates. So Sophos intercept only part of requests. That could explain why the problem is volatile, not permanent.

Children