Intercept X endpoint on server incorrectly using real time scanning on Class B 172 internal IP addresses

I have a customer environment where the server has multiple NICs and IP addresses.  The client stores very large video files on the server.  Each recording studio has a dedicated 10GBps LAN link to the server and each is on a 172.19.x.x/24 Class B internal (non-internet) IP address range. 

The servers main IP address with a default gateway to the Internet is on the 10.0.0.0/24 subnet.  Links from the recording studios are direct and do not use a default gateway, so do not traverse the network via a router or firewall.

File transfer speeds from each studio to the server before Intercept X were around 750 MB/sec (around 7.8Gbps). When Intercept X was installed on the server, that speed fell to under 150 MB/sec.

I have found that the *server* Internet option under Real Time Scanning is the singular root cause of sever file transfer speed problems. 

That is, by an extensive process of trial and error, it is only by changing just this setting on just the server that we can see the speed changes.

If I disable just Internet RTS on the server and change nothing else at all, file transfers are fast.  Turning it back on immediately slows the files down again.

We theorise that the Intercept X product on the server is incorrectly identifying the non-internet routable Class B 172.x.x.x IP ranges in use as "internet", hence why toggling Internet RTS on and off works to prove this is the fault.

We added the subnets in question (e.g. 172.19.1.0/24) to the global exclusions, yet it still does not change the speed - the only thing that works is to disable Internet RTS.  Leaving this off long term is not an acceptable option for security.

Has anyone else seen this and found a fix?



Added Tags
[edited by: GlennSen at 7:37 AM (GMT -8) on 4 Nov 2024]
Parents
  • Thank you for reaching out to the community forum.

    Have you tried putting exclusion for absolute IP rather than Subnet? Try performing this test on a single device and let us know.

    Also, I would like you to raise a support case and share it with us if the issue persists after adding the exclusion. Replicate the issue while running Proc Mon and collect SDU to be attached/shared to the support case you've created. Share the case number with us. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  •  , have you had any further insights on this issue?  I believe we have conclusively proven the issue remains within the Sophos client software and how it is handling traffic coming from the client’s 172.19.0.0/24  to 172.19.6.0/24 subnets’ Class B type addresses, which are not “Internet” by IETF standards (the partial 172 range being 172.16.0.0 – 172.31.255.255).  All we need is the software to be updated to have a proper inbuilt exclusion for the 172.16.0.0 – 172.31.255.255 range from what it sees as "Internet".

Reply Children
No Data