This article describes the scenario where one or more endpoint computers, with Web Protection, Download Scanning, or Web Control enabled, reports the following scanning error in the console:
Web protection is no longer functional. The filtering driver has been bypassed or unloaded [0xa058000c]
This error is also recorded in the SAV.txt log.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Endpoint Security and Control 10.0
A periodic background task checks that the Sophos Layered Service provider (LSP) is correctly installed and returns the error if a problem is found. Commonly the error is generated when our LSP has been removed or is being bypassed.
Reasons for the LSP being removed:
Reasons for the LSP being bypassed (it is visible in the Winsock catalog but is not actually working - see 'Further Troubleshooting' below):
Our LSP has to be reset in the Winsock catalog. You can either:
Important: Both methods require endpoint computers that returned the error to be rebooted. The LSP is only updated during a reboot, and has been implemented this way to avoid disrupting network connectivity.
Follow the instructions below:
Note: If only a small percentage of computers in any one group are affected, or computers from different groups are affected, we recommend moving computers to a new temporary group. The group should have new Anti-Virus and Web control policies applied to it, configured as suggested above. This allows the majority of endpoints to maintain their current level of protection.
To view the Winsock catalog entries you can use Microsoft's Autoruns tool | 'Winsock Providers' tab or run the following command in a command prompt (Start | Run | Type: cmd.exe | Press return).
netsh winsock show catalog > C:\winsockCatalog.txt
If the Sophos LSP is loaded then, amongst the full list generated in C:\WinsockCatalog.txt, you will see entries such as:
Entry Type: Layered Service Provider (32) Description: Sophos Web Intelligence IFSLSP
Note: If you need to contact Sophos technical support run the Sophos Diagnostic Utility on the endpoint computer first and submit your support request using our online web form with the output file attached.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.