Sophos Intercept X Firewall being installed on one users pc as the firewall....

Hello

First of all, I'm completely new to Sophos, Second of all, i dont have access to the Sophos console. (New IT job, havent been given access yet)

my question is this though, we deploy Sophos

-core agent

-endpoint advanced

-sophos intecept x

on each machine here.

The firewall for each machine is controlled by windows Defender firewall.

Except for one user, who for some reason,  the firewall is managed by Sophos Intercept x. 

How do i get this one user back to be managed by windows defender?

I removed the software, it went back to windows defender, i then re-installed it,  and after a minute after the re-install , sophos intercept x took over the firewall...

any advice appreciated,

  • Hello,

    Thanks for reaching out to the Sophos Community Forum. 

    Could you share a screenshot of where you are seeing Sophos take over as the endpoint firewall? 

    From Sophos Central, there’s a policy "Windows Firewall" which will be set to "Monitor Only" by default. I recommend checking if this has been changed to specify "Monitor & Configure Network Profiles". 

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • We are also seeing the same issue. In Central the setting shows 'Monitor Only' however our Windows 10 and 11 endpoints show this: 

  • Using the sample code from:
    msdn-code-gallery-microsoft/WscApiSample.cpp at master · microsoftarchive/msdn-code-gallery-microsoft · GitHub

    ...to "talk" to call into the Security Center:


    #include <stdio.h>
    #include <atlbase.h>
    #include <atlstr.h>
    #include <wscapi.h>
    #include <iwscapi.h>
    
    HRESULT
    GetSecurityProducts(
        _In_ WSC_SECURITY_PROVIDER provider
    )
    {
        HRESULT                         hr = S_OK;
        IWscProduct* PtrProduct = nullptr;
        IWSCProductList* PtrProductList = nullptr;
        BSTR                            PtrVal = nullptr;
        LONG                            ProductCount = 0;
        WSC_SECURITY_PRODUCT_STATE      ProductState;
        WSC_SECURITY_SIGNATURE_STATUS   ProductStatus;
    
        if (provider != WSC_SECURITY_PROVIDER_FIREWALL &&
            provider != WSC_SECURITY_PROVIDER_ANTIVIRUS &&
            provider != WSC_SECURITY_PROVIDER_ANTISPYWARE)
        {
            hr = E_INVALIDARG;
            goto exit;
        }
    
        //
        // Initialize can only be called once per instance, so you need to
        // CoCreateInstance for each security product type you want to query.
        //
        hr = CoCreateInstance(
            __uuidof(WSCProductList),
            NULL,
            CLSCTX_INPROC_SERVER,
            __uuidof(IWSCProductList),
            reinterpret_cast<LPVOID*> (&PtrProductList));
        if (FAILED(hr))
        {
            wprintf(L"CoCreateInstance returned error = 0x%d \n", hr);
            goto exit;
        }
    
        //
        // Initialize the product list with the type of security product you're 
        // interested in.
        //
        hr = PtrProductList->Initialize(provider);
        if (FAILED(hr))
        {
            wprintf(L"Initialize failed with error: 0x%d\n", hr);
            goto exit;
        }
    
        //
        // Get the number of security products of that type.
        //
        hr = PtrProductList->get_Count(&ProductCount);
        if (FAILED(hr))
        {
            wprintf(L"get_Count failed with error: 0x%d\n", hr);
            goto exit;
        }
    
        if (provider == WSC_SECURITY_PROVIDER_FIREWALL)
        {
            wprintf(L"\n\nFirewall Products:\n");
        }
        else if (provider == WSC_SECURITY_PROVIDER_ANTIVIRUS)
        {
            wprintf(L"\n\nAntivirus Products:\n");
        }
        else
        {
            wprintf(L"\n\nAntispyware Products:\n");
        }
    
        //
        // Loop over each product, querying the specific attributes.
        //
        for (LONG i = 0; i < ProductCount; i++)
        {
            //
            // Get the next security product
            //
            hr = PtrProductList->get_Item(i, &PtrProduct);
            if (FAILED(hr))
            {
                wprintf(L"get_Item failed with error: 0x%d\n", hr);
                goto exit;
            }
    
            //
            // Get the product name
            //
            hr = PtrProduct->get_ProductName(&PtrVal);
            if (FAILED(hr))
            {
                wprintf(L"get_ProductName failed with error: 0x%d\n", hr);
                goto exit;
            }
            wprintf(L"\nProduct name: %s\n", PtrVal);
            // Caller is responsible for freeing the string
            SysFreeString(PtrVal);
            PtrVal = nullptr;
    
            //
            // Get the product state
            //
            hr = PtrProduct->get_ProductState(&ProductState);
            if (FAILED(hr))
            {
                wprintf(L"get_ProductState failed with error: 0x%d\n", hr);
                goto exit;
            }
    
            if (ProductState == WSC_SECURITY_PRODUCT_STATE_ON)
            {
                wprintf(L"Product state ON\n");
            }
            else if (ProductState == WSC_SECURITY_PRODUCT_STATE_OFF)
            {
                wprintf(L"Product state OFF\n");
            }
            else if (ProductState == WSC_SECURITY_PRODUCT_STATE_SNOOZED)
            {
                wprintf(L"Product state SNOOZED\n");
            }
            else
            {
                wprintf(L"Product state EXPIRED\n");
            }
            
    
            //
            // Get the signature status (not applicable to firewall products)
            //
            if (provider != WSC_SECURITY_PROVIDER_FIREWALL)
            {
                hr = PtrProduct->get_SignatureStatus(&ProductStatus);
                if (FAILED(hr))
                {
                    wprintf(L"get_SignatureStatus failed with error: 0x%d\n", hr);
                    goto exit;
                }
                if (ProductStatus == WSC_SECURITY_PRODUCT_UP_TO_DATE)
                {
                    wprintf(L"Product status is up to date\n");
    
                }
                else
                {
                    wprintf(L"Product status is not up to date\n");
                }
    
            }
            //
            // Get the remediation path for the security product
            //
            hr = PtrProduct->get_RemediationPath(&PtrVal);
            if (FAILED(hr))
            {
                wprintf(L"get_RemediationPath failed with error: 0x%d\n", hr);
                goto exit;
            }
            wprintf(L"Product remediation path: %s\n", PtrVal);
            // Caller is responsible for freeing the string
            SysFreeString(PtrVal);
            PtrVal = nullptr;
    
            //
            // Get the product state timestamp (updated when product changes its 
            // state), and only applicable for AV products (NULL is returned for
            // AS and FW products)
            //
            if (provider == WSC_SECURITY_PROVIDER_ANTIVIRUS)
            {
                hr = PtrProduct->get_ProductStateTimestamp(&PtrVal);
                if (FAILED(hr))
                {
                    wprintf(L"get_ProductStateTimestamp failed with error: 0x%d\n", hr);
                    goto exit;
                }
                wprintf(L"Product state timestamp: %s\n", PtrVal);
                // Caller is responsible for freeing the string
                SysFreeString(PtrVal);
                PtrVal = nullptr;
            }
    
            PtrProduct->Release();
            PtrProduct = nullptr;
        }
    
    exit:
    
        if (nullptr != PtrVal)
        {
            SysFreeString(PtrVal);
        }
        if (nullptr != PtrProductList)
        {
            PtrProductList->Release();
        }
        if (nullptr != PtrProduct)
        {
            PtrProduct->Release();
        }
        return hr;
    }
    
    void PrintUsage()
    {
        wprintf(L"Usage: WscApiSample.exe [-av | -as | -fw]\n");
        wprintf(L"   av: Query Antivirus programs\n");
        wprintf(L"   as: Query Antispyware programs\n");
        wprintf(L"   fw: Query Firewall programs\n\n");
    }
    
    int
    __cdecl
    wmain(
        _In_              int     argc,
        _In_reads_(argc)  LPCWSTR argv[]
    )
    {
        int     ret = 0;
        HRESULT hr = S_OK;
        int     iProviderCount = 0;
        WSC_SECURITY_PROVIDER providers[3];
    
        if (argc < 2 || argc > 4)
        {
            PrintUsage();
            return -1;
        }
    
        //
        // Parse command line arguments
        //
        for (int i = 1; i < argc; i++)
        {
            if (_wcsnicmp(argv[i], L"-av", MAX_PATH) == 0)
            {
                providers[iProviderCount] = WSC_SECURITY_PROVIDER_ANTIVIRUS;
                iProviderCount++;
            }
            else if (_wcsnicmp(argv[i], L"-as", MAX_PATH) == 0)
            {
                providers[iProviderCount] = WSC_SECURITY_PROVIDER_ANTISPYWARE;
                iProviderCount++;
            }
            else if (_wcsnicmp(argv[i], L"-fw", MAX_PATH) == 0)
            {
                providers[iProviderCount] = WSC_SECURITY_PROVIDER_FIREWALL;
                iProviderCount++;
            }
            else
            {
                PrintUsage();
                return -1;
            }
        }
    
        CoInitializeEx(0, COINIT_APARTMENTTHREADED);
    
        for (int i = 0; i < iProviderCount; i++)
        {
            //
            // Query security products of the specified type (AV, AS, or FW)
            //
            hr = GetSecurityProducts(providers[i]);
            if (FAILED(hr))
            {
                ret = -1;
                break;
            }
        }
    
        CoUninitialize();
        return ret;
    }

    On my Win 11 computer I have:

    .\Testing.exe -fw
    Firewall Products:

    Product name: Sophos Intercept X
    Product state ON
    Product remediation path: C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe

    Product name: Windows Firewall
    Product state ON
    Product remediation path: %windir%\system32\firewall.cpl


    and using WMI from PS:

    PS C:\> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct
    displayName : Sophos Intercept X
    instanceGuid : {CED48E50-06A2-04C7-9EBC-5D08015D8994}
    pathToSignedProductExe : C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe
    pathToSignedReportingExe : C:\Program Files\Sophos\Endpoint Defense\SEDService.exe
    productState : 266240
    timestamp : Thu, 19 May 2022 20:36:51 GMT

    In the Security Center, it shows:

    If I disable the Windows Firewall:

    Security Center shows:

    .\Testing.exe -fw
    Firewall Products:

    Product name: Sophos Intercept X
    Product state ON
    Product remediation path: C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe

    Product name: Windows Firewall
    Product state OFF
    Product remediation path: %windir%\system32\firewall.cpl

    PS:

    PS C:\> Get-CimInstance -Namespace root/SecurityCenter2 -ClassName FirewallProduct
    displayName : Sophos Intercept X
    instanceGuid : {CED48E50-06A2-04C7-9EBC-5D08015D8994}
    pathToSignedProductExe : C:\Program Files\Sophos\Endpoint Defense\SEDcli.exe
    pathToSignedReportingExe : C:\Program Files\Sophos\Endpoint Defense\SEDService.exe
    productState : 266240
    timestamp : Thu, 19 May 2022 20:36:51 GMT

    So that all looks expected.  I guess the question is, why is defender disabled for you or suggesting it's not active due to other providers.

    Sophos is a provider but I seem to have both.  Is there a policy option for this to only allow one security provider?

    An export of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Fw might be interesting.