This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Network Threat Detection is blocking Cypress automation tool

We run Cypress as our web automation tool and as of the past week or two Cypress has been crashing with the error message: Error: read ECONNRESET at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

As I'm not in control of the Sophos Endpoint Agent I was able to get the IT team to give me the tamper password to test disabling the 'Network Threat Protection' once this was done Cypress was able to run the automated tests properly.

(Stack Overflow thread with others reporting issue)

Has something changed recently and is there someway that Sophos can fix this so I don't have to disable the network threat protection? If you need any info or help with this let me know.

Thanks

Adrian



This thread was automatically locked due to age.
Parents
  • Hi Adrian,

    I've also performed some testing on a W11 computer and I see the following:

    This is using Edge v100 as the browser.

    This appears to be the case, with the following features disabled of the NTP component:

    • Prevent malicious network traffic with packet inspection (IPS)
    • Detect malicious connections to command and control servers

    I.e. in the Threat Protection policy:

    I can disable HTTPS inspection and the issue still occurs and I confirm https_decrypt_enabled is set to 0 under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    as evidence the policy arrived.

    I can also make "website" type exclusions for the following addresses:

    localhost
    127.0.0.1
    cypress.io

    which end up in approved_site_patterns under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[REVISION]\web_protection

    The issue still occurs.

    In terms of the web protection features;

    ...and the Web Control feature are concerned, as long as one of these 3 are active and therefore as long as the SophosNetFilter.exe process is running, the issue persists:

    Only by disabling the following features:

    • Web Control (Web control policy)
    • Scan downloads in progress (Threat Protection policy)
    • Block access to malicious websites (Threat Protection policy)

    ...such that SophosNetFilter.exe terminates will the test run to completion without the error:

    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)
    {
    errno: -4077,
    code: 'ECONNRESET',
    syscall: 'read'
    }
    Error: read ECONNRESET
    at TCP.onStreamRead (node:internal/stream_base_commons:211:20)

    The following features of the NTP component can remain enabled without issue:

    Evidence of IPS being enabled is the process: "C:\Program Files\Sophos\Sophos Network Threat Protection\SophosIPS.exe" running.

    Note: If Electron v94 (as it is at the current time) is used (rather than Edge) there is no issue with the above 3 features being enabled as the test runs in a Cypress.exe process.  This is presumably not seen as a web browser by Sophos, based on the lack of logging in the log file when tailed during a test run:

    gc -Path 'C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log' -wait -tail 1

    Does that align with other peoples experience?

    Thanks.

  • I tested an early release of 2022.1.1.3, with NTP version 1.16.2621.

    As long as the website exclusion 127.0.0.1 is added, Cypress now works for me without erroring with "ECONNRESET".

    For reference, I set up the threat protection policy which is linked to the device with a website exclusion:

    Such that it ends up in the reg value approved_site_patterns under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[revision]\web_protection\

    If I remove the exclusion if did fail as before.

    I understand that this version should be being made available soon.

  • how did you get early access? our only solution was to disable network threat protection for few time windows when theyre doing testing

Reply Children
  • 2021.3 is the release from last year, not all customers have been migrated to 2022.1.x it yet.  If you're not part of the inital accounts migrated I guess you don't have it yet.

    If you contact Support, they can take your tenant ID, which is on the support page in Sophos Central and requrest it is migrated.

    2022.1.1 is what you need for the 127.0.0.1 exclusion to work, 2022.1.0 will not, I believe 2022.1.1 is going to start rolling out tomorrow for those with access to 2022.1.0 already.