This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Network Threat Detection is blocking Cypress automation tool

We run Cypress as our web automation tool and as of the past week or two Cypress has been crashing with the error message: Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

As I'm not in control of the Sophos Endpoint Agent I was able to get the IT team to give me the tamper password to test disabling the 'Network Threat Protection' once this was done Cypress was able to run the automated tests properly.

(Stack Overflow thread with others reporting issue)

Has something changed recently and is there someway that Sophos can fix this so I don't have to disable the network threat protection? If you need any info or help with this let me know.

Thanks

Adrian



This thread was automatically locked due to age.
Parents
  • Hi Adrian,

    I've also performed some testing on a W11 computer and I see the following:

    This is using Edge v100 as the browser.

    This appears to be the case, with the following features disabled of the NTP component:

    • Prevent malicious network traffic with packet inspection (IPS)
    • Detect malicious connections to command and control servers

    I.e. in the Threat Protection policy:

    I can disable HTTPS inspection and the issue still occurs and I confirm https_decrypt_enabled is set to 0 under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    as evidence the policy arrived.

    I can also make "website" type exclusions for the following addresses:

    localhost
    127.0.0.1
    cypress.io

    which end up in approved_site_patterns under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    The issue still occurs.

    In terms of the web protection features;

    ...and the Web Control feature are concerned, as long as one of these 3 are active and therefore as long as the SophosNetFilter.exe process is running, the issue persists:

    Only by disabling the following features:

    • Web Control (Web control policy)
    • Scan downloads in progress (Threat Protection policy)
    • Block access to malicious websites (Threat Protection policy)

    ...such that SophosNetFilter.exe terminates will the test run to completion without the error:

    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)
    {
    errno: -4077,
    code: 'ECONNRESET',
    syscall: 'read'
    }
    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

    The following features of the NTP component can remain enabled without issue:

    Evidence of IPS being enabled is the process: "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosIPS.exe" running.

    Note: If Electron v94 (as it is at the current time) is used (rather than Edge) there is no issue with the above 3 features being enabled as the test runs in a Cypress.exe process.  This is presumably not seen as a web browser by Sophos, based on the lack of logging in the log file when tailed during a test run:

    gc -Path 'C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log' -wait -tail 1

    Does that align with other peoples experience?

    Thanks.

  • Hi,

    I'm not able to change these settings (need the IT team for that) but I can confirm that the tests run fine if I use the electron browser, so that is one work around.

    thanks for looking into this.

Reply Children
No Data