Sophos Intercept X (Endpoint), Sophos XG and iBoss Web Filtering

Tom,

We are experiencing similar issues, but we use the FortiClient VPN client.  It seems to have started mid-week last week.  Other things have also been affected, though, including:

Getting "Failed - Network error" when attempting to download large files from SharePoint Online/OneDrive (also accompanied by "Windows Defender SmartScreen is downloading from OneDrive" notification in Windows.

Getting errors when trying to open synced files in a user's OneDrive.  One of the errors we've seen is "The cloud operation was not completed before the time-out period expired."

Getting a "Security Certificate was revoked" for outlook.office365.com message when opening Outlook

All these issues seem to be temporarily resolved by stopping the IBSA service, but only occur if Sophos is installed and updated.  The versions we have observed are:

IBSA Version: 5.3.120
Sophos Core Agent: 2022.2.1.9
Sophos Intercept X: 2022.1.1.11
Sophos Endpoint Protection: 10.8.11.4
Sophos Device Encryption: 2022.1.0.58
Sophos XDR: 2022.2.1.9

Thank you Ian, this is very interesting. Have Sophos and/or iBoss been able to identify any root cause or provide guidance for further investigation?

I am awaiting contact from our Sophos Technical Account Manager to clarify the (unverified) claim from iBoss that there is a ‘known issue’ between the two software. 

Not yet.  I just now put in the ticket, because we've only just narrowed the issue down to Sophos (a machine running ONLY iBoss functions correctly).  I did run across this similar known issue that made me suspect Sophos in the first place, however:  support.sophos.com/.../KB-000044388

That’s an interesting find, thanks for sharing. If you wouldn’t mind could you please update the thread with any breakthroughs from Sophos support and I’ll do likewise. 

For sure!  We just got this from our ticket with iBoss:

"Thank you for contacting iboss support. At this time our solution is to place the ibsa (iboss Windows connector service name) onto the Sophos global exclusion list. Additionally we  recommend bypassing your iboss cloud gateway public IP addresses in Sophos as well. The devices will most likely need to be restarted for them to pull the latest update(s) from Sophos. Please let us know if you have any questions or concerns."

So far, it doesn't seem like iBoss's recommendations have fixed it for us.

The IP addresses you will need to add will be different for each iBoss deployment. You can find the IP addresses for the iBoss cloud nodes in your environment by reaching out to iBoss. 

To add exclusions to Sophos for these IPs you'll need to add these under "Global Exclusions > Website (Windows/Mac)". You can also add exclusions in a Threat Protection Policy.

We have added all the cloud node IP addresses listed in our iBoss cloud account under Node Collection Management, but that doesn't seem to have made a difference.

Ian, I've had confirmation from our Technical Account Manager that there is a known issue between iBoss and Sophos. Sophos' development team are currently working on a resolution, but there are apparently two workarounds available. One has been shared higher in this chain, the other I am waiting on details for. As soon as I have these I'll share them with you.

Yes, they escalated our case to the development team.  The only things I've found that have solved the issues so far, though, are uninstalling Sophos (disabling services doesn't seem to do anything), or stopping the IBSA service.  I've temporarily deployed a script to all our machines disabling the IBSA service and scheduling a task to set it back to Automatic in two weeks while we wait for a resolution from Sophos.