Sophos Network Threat Detection is blocking Cypress automation tool

We run Cypress as our web automation tool and as of the past week or two Cypress has been crashing with the error message: Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

As I'm not in control of the Sophos Endpoint Agent I was able to get the IT team to give me the tamper password to test disabling the 'Network Threat Protection' once this was done Cypress was able to run the automated tests properly.

(Stack Overflow thread with others reporting issue)

Has something changed recently and is there someway that Sophos can fix this so I don't have to disable the network threat protection? If you need any info or help with this let me know.

Thanks

Adrian

  • Hi Adrian,

    Thanks for reaching out to the Sophos Community Forum.

    Based on the information discussed in the thread you linked, the URL that Cypress is reaching out to is "api.cypress.io". I suggest adding this URL to the exclusions list for "Decrypt HTTPS websites using SSL/TLS".

    The post you linked also mentions the traffic going out over port 443 which leads me to believe this is the culprit.

    Edit: Progress/updates on this issue can be found in the following KBA. I suggest opening a case with Sophos Support so our teams are aware of the number of impacted customers, and so that additional logs can be gathered to aid our investigation into this issue. 
    support.sophos.com/.../KB-000044041

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Adrian,

    I've also performed some testing on a W11 computer and I see the following:

    This is using Edge v100 as the browser.

    This appears to be the case, with the following features disabled of the NTP component:

    • Prevent malicious network traffic with packet inspection (IPS)
    • Detect malicious connections to command and control servers

    I.e. in the Threat Protection policy:

    I can disable HTTPS inspection and the issue still occurs and I confirm https_decrypt_enabled is set to 0 under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    as evidence the policy arrived.

    I can also make "website" type exclusions for the following addresses:

    localhost
    127.0.0.1
    cypress.io

    which end up in approved_site_patterns under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    The issue still occurs.

    In terms of the web protection features;

    ...and the Web Control feature are concerned, as long as one of these 3 are active and therefore as long as the SophosNetFilter.exe process is running, the issue persists:

    Only by disabling the following features:

    • Web Control (Web control policy)
    • Scan downloads in progress (Threat Protection policy)
    • Block access to malicious websites (Threat Protection policy)

    ...such that SophosNetFilter.exe terminates will the test run to completion without the error:

    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)
    {
    errno: -4077,
    code: 'ECONNRESET',
    syscall: 'read'
    }
    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

    The following features of the NTP component can remain enabled without issue:

    Evidence of IPS being enabled is the process: "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosIPS.exe" running.

    Note: If Electron v94 (as it is at the current time) is used (rather than Edge) there is no issue with the above 3 features being enabled as the test runs in a Cypress.exe process.  This is presumably not seen as a web browser by Sophos, based on the lack of logging in the log file when tailed during a test run:

    gc -Path 'C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log' -wait -tail 1

    Does that align with other peoples experience?

    Thanks.

  • Hi,

    I'm not able to change these settings (need the IT team for that) but I can confirm that the tests run fine if I use the electron browser, so that is one work around.

    thanks for looking into this.

  • Hi Kushal,

    thanks for replying. I found a section in the Cypress documentation that gives a list of URL to allow when using a VPN. Although I'm not using a VPN I've asked our IT team to add these URLs to the exclusions list and will report back once its been done and I've tested it.

    Thanks

  • So have waited over the weekend to ensure the policy has updated and can confirm that even adding the URLs to the exclusion list still blocks Cypress from running.

    Is there anything else I can try?

  • This seems like a bad solution to disable so many security restraints just to be able to run Cypress. All of my tests have started failing as of recently which has lead me to this forum. We normally develop our tests based on using Chrome, but it looks like now I will have to use Electron until this is fixed/reverted back to how it was previously.

    Is there any ETA on a fix for this issue?

  • I too have a similar issue. My developers are using Cypress for automation testing and Sophos causes an error. What is the status on a resolution, or exclusion?

  • We too have recently been experiencing this issue. Seemingly it came out of nowhere in the last few days. Please look into a solution soon.

  • Hi, I`ve also encountered this error while using Cypress. Is there any progress with solving that issue? 

    Thank you 

  • It is my understanding that the next version of the endpoint agent has better IP exclusions for the web protection/control feature.  I'm hoping when that is released mid May that those can be used.  I will test it if I see the new version pop up on my computer and report back.