Windows Defender Firewall get's disabled by Intercept X Advanced

Hello,

multiple customers got in touch with us because they are not able to configure the Windows Defender Firewall anymore. Windows shows that Intercept X Advanced is used as firewall instead. The configuration was not changed, the policy in Central is still set to "Monitor only". Our own clients show the same behaviour:

Anyone with the same problem? I can't exactly say when this change happend, but it has to bee recently. Only clients show this behaviour, on servers everything is still fine.



Added TAGs
[edited by: Qoosh at 11:22 PM (GMT -7) on 1 Sep 2022]
  • Hi Dreamcatcher,

    I ran a quick check on a Windows 10 system and it seems to me that the information which is displayed in the Windows Security Center is incorrect.

    The checks I ran are:

    1. netsh advfirewall show currentprofile --> this one shows that the Windows Defender Firewall is active
    2. wf.msc --> here I modified the predefined outbound "Core Networking Diagnostics - ICMP ECHO Request (ICMPv4 Request)" rule so that it would block these. After activating the rule it blocked all ping requests as expected.

    Regards,
    Marcel

  • Hey,

    yeah, it seems like the firewall is still working, though to me it looks like a bug in Intercept X that the security center says it is disabled. On servers this behaviour is not present, meaning the security center shows the defender firewall is active as it should be. Sophos support claims that this behaviour is by design, seems pretty inconsistent to me.

  • We have to be careful when comparing servers to clients, especially when it comes to the behavior of the Security Center. This is also why we have to deactivate or uninstall Window Defender on servers as described in the following KBA article: https://support.sophos.com/support/s/article/KB-000033429. On a client this is done automatically. 

  • I recently began to have this issue as well. Out of nowhere I started to see this. I do have a ticket open with support. Same exact findings.. I wish I had more to provide you as far as a resolution. 

  • So this also happened to me , I logged a support case with Sophos they said this is how it should be :

    Thank you for contacting Sophos Technical Support and for the update.

    Moving forward, it is normal to show Sophos Intercept X on it, as it has been detected by the OS as the active antivirus software installed. 

    They had asked to turn on and off certain parts of the protection to test . 

    The strange thing is why would intercept X show up as the firewall protection ??

    I then checked my home pc where I have bitdefender installed , in actual fact it looks the same but that has a firewall component if i disable that it goes back to Windows defender.on windows. 

    I wonder if you remove the device from : Firewall Policy in central what happens. (Although this only set to Monitor shouldnt change that )

  • You can not disable the Firewall policy as far as I can see, so all devices will at least use the enforced default policy which is set to "monitor only" by default. Sophos is claiming that this is by design and comes from Windows, but that's not the case with other vendors products as you already found out by yourself.