This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophos and barracuda wsa (barracuda web security agent)

We were having issues with the sophos not allowing the wsa to work properly.  When Sophos is running the barracuda would see a user called system instead of the logged on user and not block any websites.  Playing with sophos we found if we turned off all items in Real-time Scanning - Internet area then the barracuda would work properly.

Seeing if anyone else had this issue and if there is another way to make sophos and wsa work together better.



This thread was automatically locked due to age.
Parents
  • Hi,

    Does this problem only exists on Windows 8.1 and later?  Windows 7 computers are OK?  

    On Win 7 the web protection and control features are implemented with an LSP and takes place within the browser process.  So it's still Chrome.exe/Iexplore.exe/Firefox.exe making the outgoing connection.

    On Windows 8.1 and later web protection and control uses WFP, the traffic is proxied through an external process, swi_fc.exe that is running as system.

    I can see how the client side Barracuda software might hook swi_fc.exe as well as or instead of the browser and you get the result you're seeing.

    Creating a local proxy process to proxy the web traffic isn't that unusual with endpoint security products in order to examine web traffic.  I would ask the Barracuda support how they cope with this and how they hook processes to check for Web browsing and the user.  Do they load a dll into the browser process, do they have a driver, etc?

    Regards,

    Jak

  • We were dealing with this on windows 10 laptops.  Never tried on windows 7.

    Barracuda support tried this registry tweak, wfp to lsp, with our windows 10 machines and all it did was break the internet connection altogether.

    attached is the wsa info and we choose what applications to filter from the web console

    on the actual laptop there is a service for the wsa and wsa service

Reply
  • We were dealing with this on windows 10 laptops.  Never tried on windows 7.

    Barracuda support tried this registry tweak, wfp to lsp, with our windows 10 machines and all it did was break the internet connection altogether.

    attached is the wsa info and we choose what applications to filter from the web console

    on the actual laptop there is a service for the wsa and wsa service

Children
  • I see you have excluded swi_fc.exe as a process not to monitor and the list of browser processes are.

    Does this revert the initial behaviour you mentioned, i.e you no longer see traffic being reported as coming from a system process but then you don't get the filtering you'd expect?

    With the Sophos endpoint web proxy you end up with something like this on Windows 8.1+

    Chrome.exe (account:user1) -> 127.0.0.1:567891 -> swi_fc.exe (account:system) -> server:80

    Without Sophos endpoint web proxy:

    Chrome.exe (account:user1) -> server:80

    In the second, default case, I'd imagine the Barracuda software hooks into the Chrome process to "see" this request and understand the process making it.

    With Sophos proxying browser traffic, and in the configuration shown in the screenshot:  I would expect that Barracuda is still hooking Chrome.exe, getting the username, but maybe, as the traffic is being redirected to 127.0.0.1 it doesn't care about it?  Applications talking to themselves on loopback isn't that uncommon and maybe they have made the decision not to worry about such traffic as reporting loopback doesn't really telly you much about the web traffic or give you much to configure policy based on.

    If in the Barracuda software swi_fc.exe is on the include list, I would expect it to be treated like a browser process, the only difference being it is always going to be running as local system.  I'm guessing that knowing the user account is important to the Barracuda system?

    I've not seen or used the Barracuda software but I can only guess what might be going on.

    Regards,

    Jak