Intercept X limiting internet on computers

We installed Sophos Intercept X on 75 computers on one client. Customer complains that internet browsing has been slow since then and downloads take a long time.

The issue is resolved when the "Protection against Network Threats" function is disabled, directly in Endpoint, I attach an image that shows this.

Has anyone here gone through this? Well, honestly, this is new to me and not even Sophos support here in Brazil knows exactly how to handle this.

 Thanks.



Added tags
[edited by: Gladys at 3:49 PM (GMT -7) on 15 Sep 2022]
Parents
  • I suspect it's not the option you mention specifically that needs to be disabled.  That is disabling more than you need.

    Network Threat Protection (NTP), sometimes referenced as MTD, is the component that protects the browsers from connecting to malicious sites and implements web control if enabled in policy (not enabled by default). 

    The component also prevents non browser processes from connecting to know malicious addresses, e.g. C2 servers and provides network connection information to the behavioural engine, download reputation for files downloaded via a browser process and also IPS. 

    It does many things!

    So to visualise it:

    • NTP/MTD (The component)
      • Malicious traffic detection
      • IP Events for behavioural.
      • Web Protection and Web Control (see below as it's the feature most relevant to the question)
      • IPS (SophosIPS.exe process, child of SophosNetFilter.exe, when enabled)
      • Download Reputation  (This is just a DLL loaded by the browser process)


    Web Protection has 2 sub components in the Threat Protection policy:

    • Content scanning (Downloads in progress)


      • Malicious site lookups.

      Then there is web control, enabled/disabled in the Web Control policy.

      Both Web Protection features and Web Control are implemented by the process SophosNetFilter.exe which is a child process of the Sophos Network Threat Protection service. 

      When you disable the option you checked it pretty much disables all of the above, it will certainly stop the SophosNetFilter.exe process and why I believe it helps.

      On top of the above, there is the inspection option:

      This is if SophosNetFilter.exe should decrypt web traffic from browsers to perform inspection. This is not enabled by default.

      So I would suggest:

      1. Try disabling SSL/TLS inspection if enabled.  Does that speed things up?

      2. If not, try disabling Web Control, Scan downloads in progress and  Block access to malicious websites.  This will stop the SophosNetFilter.exe process, I suspect it's fine then.  Do leave the other features enabled though.

      Thanks.

    • If all is well with just the following NTP features disabled:
      - Web Control
      - Block access to malicious websites
      - Scan downloads in progress 

      I.e SophosNetFilter.exe is not running. I would then just enabled "Scan Downloads in progress" feature. 

      The SophosNetFilter.exe process will start back up with just this one feature enabled.  Traffic from browser processes will be considered but this will not perform lookups, just scanning, but of course, only when SSL/TLS inspection is enabled for HTTPS but would scan content for HTTP.

      If it's all OK with SophosNetFilter.exe running just performing the "Scan downloads in progress", this would hint at the delay being caused by the time it takes to perform a lookup to 4.sophosxl.net to classify sites as they are accessed when the other 2 features are enabled as they rely on lookups.

      Can we make this distinction? 

    • I just made these adjustments, I disabled the mentioned features.

      Tomorrow we will observe the behavior of computers. I would not like to leave all these features disabled, although the network has a Sophos Firewall XGS 3300 on the edge, I understand that keeping the Intercept X with all the features on, strengthens protection. 

      The curious thing is that we don't have this problem in other companies, only in the one we are dealing with specifically, it is a high school.

      I came to suspect that it could be some component of the operating system, Windows 10, conflicting with the Intercept X, mainly due to the fact that many crackers activators of Windows and Office have been deleted by the AV, perhaps these activators have changed the structure of the OS.

      Let's wait until tomorrow and see how the computers behave, with these Web Control and MDT features being disabled.

      Thanks !

    • The only other thing, as you mention it's a school, does it have any cloud based web scanning.  I wonder if it's something like the following: Sophos Intercept X (Endpoint), Sophos XG and iBoss Web Filtering - Discussions - Intercept X Endpoint - Sophos Community 

    • The scenario is: Sophos XGS with its own Webfilter + Sophos Intercept X Advanced.

    • Yeah, the problem continues, at least in downloads.

      The rate drops considerably, following two images, one with "Advanced Network Threat Protection" enabled and another image with this function disabled.

      Note the download rate.

    Reply Children
    No Data