We installed Sophos Intercept X on 75 computers on one client. Customer complains that internet browsing has been slow since then and downloads take a long time.
The issue is resolved when the "Protection against Network Threats" function is disabled, directly in Endpoint, I attach an image that shows this.
Has anyone here gone through this? Well, honestly, this is new to me and not even Sophos support here in Brazil knows exactly how to handle this.
I suspect it's not the option you mention specifically that needs to be disabled. That is disabling more than you need.
Network Threat Protection (NTP), sometimes referenced as MTD, is the component that protects the browsers from connecting to malicious sites and implements web control if enabled in policy (not enabled by default).
The component also prevents non browser processes from connecting to know malicious addresses, e.g. C2 servers and provides network connection information to the behavioural engine, download reputation for files downloaded via a browser process and also IPS. It does many things!
So to visualise it:
Web Protection has 2 sub components in the Threat Protection policy:
Then there is web control, enabled/disabled in the Web Control policy.
Both Web Protection features and Web Control are implemented by the process SophosNetFilter.exe which is a child process of the Sophos Network Threat Protection service.
When you disable the option you checked it pretty much disables all of the above, it will certainly stop the SophosNetFilter.exe process and why I believe it helps.
On top of the above, there is the inspection option:
This is if SophosNetFilter.exe should decrypt web traffic from browsers to perform inspection. This is not enabled by default.
So I would suggest:
1. Try disabling SSL/TLS inspection if enabled. Does that speed things up?
2. If not, try disabling Web Control, Scan downloads in progress and Block access to malicious websites. This will stop the SophosNetFilter.exe process, I suspect it's fine then. Do leave the other features enabled though.
If all is well with just the following NTP features disabled:- Web Control- Block access to malicious websites- Scan downloads in progress
I.e SophosNetFilter.exe is not running. I would then just enabled "Scan Downloads in progress" feature.
The SophosNetFilter.exe process will start back up with just this one feature enabled. Traffic from browser processes will be considered but this will not perform lookups, just scanning, but of course, only when SSL/TLS inspection is enabled for HTTPS but would scan content for HTTP.
If it's all OK with SophosNetFilter.exe running just performing the "Scan downloads in progress", this would hint at the delay being caused by the time it takes to perform a lookup to 4.sophosxl.net to classify sites as they are accessed when the other 2 features are enabled as they rely on lookups.
Can we make this distinction?
I just made these adjustments, I disabled the mentioned features.
Tomorrow we will observe the behavior of computers. I would not like to leave all these features disabled, although the network has a Sophos Firewall XGS 3300 on the edge, I understand that keeping the Intercept X with all the features on, strengthens protection.
The curious thing is that we don't have this problem in other companies, only in the one we are dealing with specifically, it is a high school.
I came to suspect that it could be some component of the operating system, Windows 10, conflicting with the Intercept X, mainly due to the fact that many crackers activators of Windows and Office have been deleted by the AV, perhaps these activators have changed the structure of the OS.
Let's wait until tomorrow and see how the computers behave, with these Web Control and MDT features being disabled.
The only other thing, as you mention it's a school, does it have any cloud based web scanning. I wonder if it's something like the following: Sophos Intercept X (Endpoint), Sophos XG and iBoss Web Filtering - Discussions - Intercept X Endpoint - Sophos Community
The scenario is: Sophos XGS with its own Webfilter + Sophos Intercept X Advanced.
Yeah, the problem continues, at least in downloads.
The rate drops considerably, following two images, one with "Advanced Network Threat Protection" enabled and another image with this function disabled.
Note the download rate.
we also have this problem at a customers installation.
Do anyone have a solution for this?
I suggest opening a support case with our team regarding this issue, as they will be able to assist you more effectively.
Some policy changes can be made to help mitigate this issue, though the root cause for the slowdowns will need to be fixed in an upcoming product update.
Seeing the same thing here at my company. All of our mac clients on Intercept X are just fine (we are a 90% mac shop), but the few on PC are seeing their internet browsing throttled back to 10-20% of normal speed (our symmetrical Gb speed is typically 100-200 Mb on any PC). The interesting thing is that this is not happening with other apps that go across the WAN. Presto, our hight speed (UDP) file transfer server that our artists access across the WAN is experiencing no slowdown at all. The slowdown is only occurring with internet browsers (Chrome, Firefox, IE, etc..)
That makes sense as it’s only the traffic from browser processes subjected to web protection and control.
Network traffic from other processes is considered but not to the same degree. The SophosNetFilter.exe process,the child process of the sophosntpservice.exe is where the work takes place.
I would imagine that with ssl/tls inspection enabled in the threat protection policy it would have to be slower than without if you have that option enabled.
it is my understanding that the next release improves the speed and this is due next week sometime at least for the early groups.