Sophos Central Endpoint: Wonder Series - How to determine if the Web Control policy has reached the managed endpoint devices

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
______________________________________________________________________________________________________________________________

Overview

This will guide you to check if a Web Control policy is applied to your endpoint clients.

Applies to the following Sophos product(s) and version(s)
Sophos Central Endpoint.

Introduction

As a Sophos Central administrator, have you ever wondered how to confirm whether the Web Control policy you applied has reached the endpoint devices?

With the convenience of the Sophos Endpoint Self Help tool, one might say that we can cross-reference the Sophos Web Control policy modification time within the tool to match the time the policy was applied, like the screenshot shown below. If the time matches, it’s a good indication that the applied policy has reached the endpoint.

Verifying if the policy is applied using local Web Control policy files

Using the Sophos Self Help tool is no doubt a good way to estimate the arrival of the new or modified policy. However if you want to find out for sure, you can do so with the help of the local Web Control policy files.

You can browse the policy files in the “C:\ProgramData\Sophos\Web Control\Policy” folder. They are located inside of a hidden folder (ProgramData folder). You’ll have to open explorer, select view, and check “Hidden items” to access it.

Inside the “Policy” folder, there are several different config files. The ones we need to check are those with random numbers and characters in their file names like the following.

 

To narrow down the search, we can open the “index” file in the “Policy” folder. The index file shows what each config file is for. We only need to focus on the config files marked as “fragment,” there are three.

Controlled Site tag Validation

To check if the policy contains “Control sites tagged in Website Management,” Open the three config files mentioned. The file with content starting with “--BEGIN LOCAL SITE LISTS” will contain all of the controlled sites tagged here. We can find the websites included in your new or modified policy in this config file if the policy has successfully applied to the endpoint.


 

For example, if a website “example.com” was added to Website Management and tagged as “Recommended Read” for Web Control to use.

 

After this was applied to a policy and sent to the endpoint device, It will reflect in the Web Control policy config file like the screenshot below.

 

Rule/Setting Changes Validation

The Web Control policy will reflect the rule/setting changes in the policy config file that contains content starting with “--BEGIN POLICY RULES.”

For example, we’re changing our policy to block all Windows Executables (EXE) from being downloaded by users under the “Risky File Types” option.

 

We should be able to find the setting change in the config file mentioned. Refer to the screenshot below for reference.

 

Hopefully, you’ll find these simple troubleshooting tips helpful in managing your central endpoints. Have a lovely day!



Edited the disclaimer.
[edited by: Yashraj at 9:02 AM (GMT -8) on 4 Mar 2022]