Thread Info
  • State Not Answered
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 18 subscribers
  • Views 16819 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Protection generating 100s of Events

PMMiller

Since installing the Sophos Endpoint Agent on computers the Windows Event Security log is filling with over a hundred events per minute.  The Audit Failure is event is ID 5152: The Windows Filtering Platform has blocked a packet.  I've looked at https://docs.microsoft.com/en-us/windows/device-security/auditing/event-5152

A few things:

1. Why doesn't the Sophos agent show any events, errors, warnings, etc?

2. Microsoft is saying to monitor the source folders to see if bad things are happening.  This is in the XML and with the plethora of events almost impossible to review.

3. Even if I can ignore the events, they're still causing the logs to rollover every day or so

 

Is anyone else seeing this behavior?  What do I need to do to make this stop filling the event logs?  Is Sophos really blocking packets and not reporting it in the console or agent?

 

Thank  you.



This thread was automatically locked due to age.
Parents
  • 0

    Is this level of auditing on by default or have you enabled it through policy?

    I assume this stops it?

    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

    As for the Sophos features that operate at this layer, i.e. have a WFP filter driver, they are:

    1. Web Protection (Windows 8.1+)
    2. Sophos Client Firewall (Windows 8.1+)
    3. Malicious Traffic Detection (MTD).

    Given you are running Central, 2 is not applicable.  

    Can you rule our the 3rd, MTD, this seems most likely? 

    In the Threat Protection policy applied to a test client, if you disable the option: "Detect network traffic to command and control servers", do the messages stop?

    Can you provide a few examples of the events you are seeing?

    Regards,

    Jak

     

Reply
  • 0

    Is this level of auditing on by default or have you enabled it through policy?

    I assume this stops it?

    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

    As for the Sophos features that operate at this layer, i.e. have a WFP filter driver, they are:

    1. Web Protection (Windows 8.1+)
    2. Sophos Client Firewall (Windows 8.1+)
    3. Malicious Traffic Detection (MTD).

    Given you are running Central, 2 is not applicable.  

    Can you rule our the 3rd, MTD, this seems most likely? 

    In the Threat Protection policy applied to a test client, if you disable the option: "Detect network traffic to command and control servers", do the messages stop?

    Can you provide a few examples of the events you are seeing?

    Regards,

    Jak

     

Children
No Data
Unfiltered HTML