This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Network Threat Detection is blocking Cypress automation tool

We run Cypress as our web automation tool and as of the past week or two Cypress has been crashing with the error message: Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

As I'm not in control of the Sophos Endpoint Agent I was able to get the IT team to give me the tamper password to test disabling the 'Network Threat Protection' once this was done Cypress was able to run the automated tests properly.

(Stack Overflow thread with others reporting issue)

Has something changed recently and is there someway that Sophos can fix this so I don't have to disable the network threat protection? If you need any info or help with this let me know.

Thanks

Adrian



This thread was automatically locked due to age.
Parents
  • Hi Adrian,

    I've also performed some testing on a W11 computer and I see the following:

    This is using Edge v100 as the browser.

    This appears to be the case, with the following features disabled of the NTP component:

    • Prevent malicious network traffic with packet inspection (IPS)
    • Detect malicious connections to command and control servers

    I.e. in the Threat Protection policy:

    I can disable HTTPS inspection and the issue still occurs and I confirm https_decrypt_enabled is set to 0 under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    as evidence the policy arrived.

    I can also make "website" type exclusions for the following addresses:

    localhost
    127.0.0.1
    cypress.io

    which end up in approved_site_patterns under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    The issue still occurs.

    In terms of the web protection features;

    ...and the Web Control feature are concerned, as long as one of these 3 are active and therefore as long as the SophosNetFilter.exe process is running, the issue persists:

    Only by disabling the following features:

    • Web Control (Web control policy)
    • Scan downloads in progress (Threat Protection policy)
    • Block access to malicious websites (Threat Protection policy)

    ...such that SophosNetFilter.exe terminates will the test run to completion without the error:

    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)
    {
    errno: -4077,
    code: 'ECONNRESET',
    syscall: 'read'
    }
    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

    The following features of the NTP component can remain enabled without issue:

    Evidence of IPS being enabled is the process: "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosIPS.exe" running.

    Note: If Electron v94 (as it is at the current time) is used (rather than Edge) there is no issue with the above 3 features being enabled as the test runs in a Cypress.exe process.  This is presumably not seen as a web browser by Sophos, based on the lack of logging in the log file when tailed during a test run:

    gc -Path 'C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log' -wait -tail 1

    Does that align with other peoples experience?

    Thanks.

  • This seems like a bad solution to disable so many security restraints just to be able to run Cypress. All of my tests have started failing as of recently which has lead me to this forum. We normally develop our tests based on using Chrome, but it looks like now I will have to use Electron until this is fixed/reverted back to how it was previously.

    Is there any ETA on a fix for this issue?

  • I too have a similar issue. My developers are using Cypress for automation testing and Sophos causes an error. What is the status on a resolution, or exclusion?

  • We too have recently been experiencing this issue. Seemingly it came out of nowhere in the last few days. Please look into a solution soon.

  • It is my understanding that the next version of the endpoint agent has better IP exclusions for the web protection/control feature.  I'm hoping when that is released mid May that those can be used.  I will test it if I see the new version pop up on my computer and report back.

Reply Children
No Data