(Browser-Specific): Threat Protection policies only detects malwares in Firefox when accessing the eicar website but failed to detect it using Chrome.
also, what is this behavior, it keeps detecting the malware, cleans it, but never kills the sophos_hips_test.exe ?
The detection you have there is from on disk, the cache of the browser, web protection should stop that before it hits the disk and what that test should be testing.
In the example, you are using HTTPS to download the Eicar test file from Sophostest.com. To be able to do scanning of HTTPS you need to enable in the Threat Protection policy the following:
Is that enabled? If not can you enable it and retry.
https_decrypt_enabled will be set to 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latest revision]\web_protection once the endpoint gets the policy to enable it. I think you need to restart the browser as well.
That said, without decryption, you should be able to run:
https://www.sophostest.com/eicar
To force the browser to use HTTP, that should generate the inline block page.
This is also true for all the categorization tests on sophostest.com. Given it's one domain, sophostest.com, with a bunch of classified URLs, when visited as HTTPS, without decryption, web protection/control can't see the full URL. It can only see the domain.
---
As for the SophosHIPS test, that is an old tool that works with the old Sophos Anti-Virus component. I don't believe there is a rule to detect the behaviour that does with the newer product. I wouldn't worry about that.
The detection you have there is from on disk, the cache of the browser, web protection should stop that before it hits the disk and what that test should be testing.
In the example, you are using HTTPS to download the Eicar test file from Sophostest.com. To be able to do scanning of HTTPS you need to enable in the Threat Protection policy the following:
Is that enabled? If not can you enable it and retry.
https_decrypt_enabled will be set to 1 under: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[latest revision]\web_protection once the endpoint gets the policy to enable it. I think you need to restart the browser as well.
That said, without decryption, you should be able to run:
https://www.sophostest.com/eicar
To force the browser to use HTTP, that should generate the inline block page.
This is also true for all the categorization tests on sophostest.com. Given it's one domain, sophostest.com, with a bunch of classified URLs, when visited as HTTPS, without decryption, web protection/control can't see the full URL. It can only see the domain.
---
As for the SophosHIPS test, that is an old tool that works with the old Sophos Anti-Virus component. I don't believe there is a rule to detect the behaviour that does with the newer product. I wouldn't worry about that.
