The Sophos Community will be unavailable from 13:00 to 18:00 UTC this Saturday, October 1st for upgrades. Stay tuned to our Twitter account @SophosSupport for updates.
One or more endpoint computers, with Web Protection, Download Scanning, or Web Control enabled, report the following scanning error in the console:
Web protection is no longer functional. The filtering driver has been bypassed or unloaded [0xa058000c]
This error is also recorded in the SAV.txt log.
First seen in Sophos Endpoint Security and Control 10.0
A periodic background task checks that the Sophos Layered Service provider (LSP) is correctly installed and returns the error if a problem is found. Commonly the error is generated when our LSP has been removed or is being bypassed.
Note: If this error appears on an upgrade from Sophos Endpoint Security and Control version 10.3.12 and later, and you have the Sophos Client Firewall installed, this issue can be caused by the web protection processes being blocked. To resolve:
This issue has been fixed in the Sophos Endpoint Security and Control versions 10.3.15.2 release.
Our LSP has to be reset in the Winsock catalog. You can either:
Important: Both methods require endpoint computers that returned the error to be rebooted. The LSP is only updated during a reboot, and has been implemented this way to avoid disrupting network connectivity.
Follow the instructions below:
Note: If only a small percentage of computers in any one group are affected, or computers from different groups are affected, we recommend moving computers to a new temporary group. The group should have new Anti-Virus and Web control policies applied to it, configured as suggested above. This allows the majority of endpoints to maintain their current level of protection.
To view the Winsock catalog entries you can use Microsoft's Autoruns tool | 'Winsock Providers' tab or run the following command in a command prompt (Start | Run | Type: cmd.exe | Press return).
netsh winsock show catalog > C:\winsockCatalog.txt
If the Sophos LSP is loaded then, amongst the full list generated in C:\WinsockCatalog.txt, you will see entries such as:
Entry Type: Layered Service Provider (32) Description: Sophos Web Intelligence IFSLSP
Note: If you need to contact Sophos technical support run the Sophos Diagnostic Utility on the endpoint computer first and submit your support request using our online web form with the output file attached.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.