This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

staffcop, sophos and windows 10

seeing if anyone else has ran into this.

We are running Sophos cloud av (version 11.5.4) on our window 10 pro pcs (version 1607 – os build 14393.953). When I installed staffcop (on these pcs with Sophos cloud, they will be able to connect access the internet for a while till the pcs are rebooted (this is after the staffcop installation reboot).

https://www.staffcop.com/

Once the pcs are rebooted users are not able to go to websites. We are still able to access mapped drives.

get "this site cant be reached"

If I uninstalled Sophos or staffcop and reboot, users are able to go to internet sites

Im logged in as a domain user with domain firewall turned off. No firewall on the AV

This thread was automatically locked due to age.

0 jak over 7 years ago
I assume it's either the web protection and web control features or the malicious traffic detection feature that is causing the conflict.

Centrally I would try disabling under "Threat Protection":

"Scan downloads in progress"

"Block access to malicious websites"

and then disable Web Protection does it work?

Otherwise, MTD is toggled (also in the "Threat Protection" part of the policy) with the option:

"Detect network traffic to command and control servers"

You can also temporarily disable these options at the client with Tamper Detection disabled.

Start with just Test 1, then add Test2 then add Test 3. Trying each of these in combination. Test 1 and Test 2 are implemented by the same component within the software so I'm expecting those need to be off in combination but maybe not.

Knowing which feature is in conflict would be the first step.

Regards,

Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 waynecutler over 7 years ago in reply to jak

looks like doing test1 fixes the issue.

now to figure out in the what to turn off
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 7 years ago in reply to waynecutler

Realtime Internet feature includes:

Scan downloads in progress

and

Block access to malicious websites

You could try disabling each in turn, but I suspect it maybe be both as they both hook in the same way.
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 7 years ago in reply to jak

I downloaded to the installer and unzipped it just to see what was in it to try and understand the technologies it might use to hook web traffic. I don't really want to install the product.

I found in the install set:

install.cmd, this has the command:
registerlsp -b -d ltvlib.dll

There is ltvlib64.dll and ltvlib.dll which I guess are LSPs.

Interestingly there is also this file: registerlsp.ini which contains the text:

DrWebSP.4,after
AVSDA,bypass
PROXIFIER LSP,before
Sophos Web Intelligence LSP,after

This suggests that they have run into issues with Sophos before and have attempted to order themselves in a way to co-exist. You're more likely to run into a conflict of LSPs than with WFP drivers. I would expect this to help when the OS is Windows 7 rather than 10 as Sophos uses a LSP on Windows 7 but on Windows 10 uses a WFP callout driver on Windows 10.

If you run in an administrative command prompt:
netsh winsock show catalog > winsockcat.txt

Do you see a reference to ltvlib64.dll and ltvlib.dll? This would confirm that they are using an LSP on Windows 10.

If they are using a WFP filter (maybe as well), then you would see evidence of this by running in an administrative command prompt:

netsh wfp show filters

This will generate the file: filters.xml. I'd be interested to see what was in the list of Providers at the bottom of the file (<providers></provider>).

Regards,
Jak
Cancel
Vote Up 0 Vote Down

Cancel
0 waynecutler over 7 years ago in reply to jak

yes i see both ltvlib64.dll and ltvlib.dll.

Im off now. will reply tomorrow

from filters

<providers>
<item>
<providerKey>FWPM_PROVIDER_IKEEXT</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows WFP Built-in IKEEXT provider used to identify filters added by IKE/AuthIP.</description>
</displayData>
<flags/>
<providerData/>
<serviceName>IKEEXT</serviceName>
</item>
<item>
<providerKey>{aa6a7d87-7f8f-4d2a-be53-fda555cd5fe3}</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows IPsec Policy Agent</description>
</displayData>
<flags numItems="2">
<item>FWPM_PROVIDER_FLAG_PERSISTENT</item>
<item>FWPM_PROVIDER_FLAG_DISABLED</item>
</flags>
<providerData/>
<serviceName>Policyagent</serviceName>
</item>
<item>
<providerKey>{d9cdd163-cce0-4581-8115-c3e14b839777}</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows edge traversal socket option authorization provider</description>
</displayData>
<flags/>
<providerData/>
<serviceName/>
</item>
<item>
<providerKey>FWPM_PROVIDER_TCP_CHIMNEY_OFFLOAD</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows WFP Built-in TCP Chimney Offload provider used to identify filters added by TCP Chimney Offload.</description>
</displayData>
<flags/>
<providerData/>
<serviceName/>
</item>
<item>
<providerKey>{63dd0fa6-3cc5-4f44-91ab-ef56b7af8eae}</providerKey>
<displayData>
<name>Sophos Network Threat Protection Provider</name>
<description/>
</displayData>
<flags/>
<providerData/>
<serviceName/>
</item>
<item>
<providerKey>{4b153735-1049-4480-aab4-d1b9bdc03710}</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows Firewall Provider</description>
</displayData>
<flags numItems="1">
<item>FWPM_PROVIDER_FLAG_PERSISTENT</item>
</flags>
<providerData/>
<serviceName>mpssvc</serviceName>
</item>
<item>
<providerKey>{893a4f22-9bba-49b7-8c66-3d40929c8fd5}</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows Teredo firewall provider</description>
</displayData>
<flags/>
<providerData/>
<serviceName/>
</item>
<item>
<providerKey>{decc16ca-3f33-4346-be1e-8fb4ae0f3d62}</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows Firewall Provider</description>
</displayData>
<flags numItems="1">
<item>FWPM_PROVIDER_FLAG_PERSISTENT</item>
</flags>
<providerData/>
<serviceName>mpssvc</serviceName>
</item>
<item>
<providerKey>{3c59fc7c-2f71-40c9-a14d-69b46e6e174b}</providerKey>
<displayData>
<name>Sophos</name>
<description/>
</displayData>
<flags/>
<providerData/>
<serviceName/>
</item>
<item>
<providerKey>FWPM_PROVIDER_IPSEC_DOSP_CONFIG</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows WFP Built-in IPsec DoS Protection configuration provider used to identify filters added by IPsec Denial of Service Protection.</description>
</displayData>
<flags/>
<providerData/>
<serviceName/>
</item>
<item>
<providerKey>FWPM_PROVIDER_TCP_TEMPLATES</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows WFP Built-in TCP Templates provider used to identify filters added by TCP Template based configuration.</description>
</displayData>
<flags/>
<providerData/>
<serviceName/>
</item>
<item>
<providerKey>{1bebc969-61a5-4732-a177-847a0817862a}</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Microsoft Windows Firewall IPsec Provider</description>
</displayData>
<flags numItems="1">
<item>FWPM_PROVIDER_FLAG_PERSISTENT</item>
</flags>
<providerData/>
<serviceName>MPSSVC</serviceName>
</item>
<item>
<providerKey>{8e44982a-f477-11df-85ce-78e7d1810190}</providerKey>
<displayData>
<name>Microsoft Corporation</name>
<description>Windows Network Data Usage (NDU) Provider</description>
</displayData>
<flags/>
<providerData/>
<serviceName>NDU</serviceName>
</item>
</providers>
</wfpdiag>
Cancel
Vote Up 0 Vote Down

Cancel
0 waynecutler over 7 years ago in reply to waynecutler

looks like to make it work that i need to turn off all 3 items
Cancel
Vote Up 0 Vote Down

Cancel