Knowledge Base

This article provides a list of frequently asked questions regarding Web control in Sophos Central.

Applies to the following Sophos product(s) and version(s)
Sophos Central Admin

How does Web control relate or differ from Web protection?

The following list of bullet points will help you to differentiate between the two features:

• The Web protection feature is part of Sophos Anti-Virus and is included with all Sophos Central licenses that include this product.  This feature is designed to prevent threats reaching the web browser.
  
  
• Web control is an additional feature available in the following licences:
  
  
  • Sophos Central Endpoint Protection Advanced.
  • Sophos Central Enduser Protection.
  • Sophos Central Server Advanced Protection
    
    Notes:
    • Web Control is a feature of the Sophos Central Server Advanced license. A User licence is also required for each individual that you allow to access the internet from the server, for example using Remote Desktop/ Terminal Services. This is in line with Sophos’ EULA which defines a 'User' as an employee, consultant or other individual who benefits from the Product.
    • For more information on the functionality included in each licence see the feature table in the Sophos Central 'How to buy' page.
      
      
• Web control is focused on giving the administrator control over web browsing with specific differences between User Policies and Server Policies:
  • User Policies
    • Block by category of site
    • Block particular file types or specific websites
    • Prevent access to sites that increase risk to the organization
    • Help improve productivity and potentially limit bandwidth.
    • Policies for Web control can also be configured to apply to users only at certain times of the day if required.
    • Applies to the logged on User 
  • Server Policies
    • Provides control of potentially inappropriate websites for acceptable use by site category
    • Applies to any account that accesses the internet from the server
      
      
• Web protection prevents web based threats from reaching the browser in two ways:
  
  
  
  1. Blocking access to websites deemed to be malicious by SophosLabs.  This is achieved by endpoint performing a real-time look-up to an infrastructure of Sophos servers to classify the sites.  
     Notes:
     • The following SophosLabs page provides a way to request a reassessment of a web page if you feel a page has been wrongly classified. 
     • The 'Malware' test page as provided by SophosLabs found on this page: http://sophostest.com/ can be used to check this functionality is operational.
  2. Certain content is scanned before reaching the browser.  This feature is labelled as Download scanning.  This assessment by scanning the content is performed at the client.
     
     
• Web control and Web protection use the same methods to intercept traffic as seen by the browser and provide feedback to the user.  For example on a Windows computer the hook to intercept web traffic is a Layered Service Provider (LSP) for Windows XP/2003/2008/2008 R2/Vista and Windows 7 and for Windows 8/8.1 and Windows 2012/2012 R2 it is a Windows Filtering Platform (WFP) driver.
  
  Note: Web control is not available on Windows Server 2003.

How can I check that Web control is working?

Depending on the policy you have configured in Sophos Central, the tests you may need to perform may differ.  This answer provides the most common way to test Web control functionality is working.

SophosLabs have provided the following webpage: http://sophostest.com/ to test category classification.

In addition to checking the 'Events' report in Sophos Central for Web control events, on the endpoint logs or behaviors can also be checked or observed to see evidence of Web control being operational:

• Mac
  The 'Sophos Anti-Virus.log' file ('/Library/Logs/Sophos Anti-Virus.log') can be checked.  For example, when a block action is taken against facebook.com, the following line can be found in the log file:
  
  com.sophos.webintelligence: [Date] [Time]  Policy action 'block' on 'https://www.facebook.com'

Note: There is no visible indication provided for HTTPS page interceptions.  The browser will display messages such as: 'Safari Can't Open the Page' or 'This webpage is not available'.  
  
  Example screenshots can be seen here:
   
  
  
• Windows
  Either a notification popup will be displayed (for HTTPS) traffic or the browser will display a page detailing the content that has been blocked or warned.
  
  
• Mobile
  Sophos Central provides a Mobile Device Management (MDM) product only at this time.  There is no Web control available on iOS or Android at this time.

How can I check the client has the latest policy from Sophos Central?

The following article provides information on what to check: 121426.

How do I prevent  balloon messages being displayed to my users?

On Windows, blocked resources obtained using HTTPS will display popup messages. These balloon or 'Toast' messages can be suppressed if required by following article 120971.

How can I enable verbose logging on the endpoint?

It is possible to obtain trace logging for both Web protection and the Web control components on the endpoint.  Please contact Support quoting article 116769 and they will best guide you with the appropriate level of logging.

Why are file types such as a PDF, Flash and executable files blocked for my users?

This may be correct based on the Web control policy configured for the user.  The following steps should be followed to determine the correct behavior.

1. Log in to Sophos Central.  For more information see article 119674 or simply visit https://cloud.sophos.com.
2. Navigate to 'Policies'
3. If there are multiple policies and you don't know which policy applies it is recommended you search for the user by name.
4. Once you have identified the policy in which web control is configured for the user, click 'Web Control'
5. Check the 'File Type Access' section and then the 'Risky file downloads' options selected.
6. Adjust the settings of the policy as required.

Does Web control work on iOS, Android devices or Linux servers?

Not at this time.  Web control is only available on Windows and Mac.

Why are some files blocked based on the 'Additional security options' settings and others are allowed?

Under the 'Additional security options' of the web control policy it is possible to control access to individual file types.  For example you can block executable files.  These checks are also subject to SXL lookups to see if they are from a trusted source.  For example an executable file from Microsoft or Apple is not subject to the same checks as that from a unknown source.

How do I exempt a website?

One way to exempt a website is to use tags.  For example.  If you wanted to allow the site: 'uk.video.search.yahoo.com', that was previously blocked you could do as follows:

1. Navigate to 'System Settings' - 'Website Management'.
2. Click 'Add'.
3. Enter the address: uk.video.search.yahoo.com
4. Check 'Enable Tags'
5. Create a new tag called 'Allow' for example
6. Click 'Save'.
7. The 'Web Control Customizations' page should reflect the new entry.
8. In the Web control policy linked to the users you wish to allow the site, under the section 'Control sites tagged in the Website list', you can add an choose to Allow the 'Allow' tag.
9. After saving the updated policy, within about 30 seconds the computer should now allow the site specified when it was previously blocked.

Note: it is also possible to override the category of a site in a similar way using the 'Web Control Customizations' page.

Why is my exemption not behaving as expected?

There are a few reasons which may explain why a site doesn't behave as expected.  

Note: See the question  'How can I check the client has the latest policy from Sophos Central?' to check the client has the updated policy if in any doubt.

• If you are attempting to 'warn' on a website this will not work on a site if accessed over HTTPS.  The page will be displayed.  The warn page cannot be injected into the returned page when viewed over HTTPS.
  
  
• If you are trying to block a specific URL using the website customization list, for example: 'http://uk.video.search.yahoo.com/search/video?p=Sophos'. This is a case sensitive, so the URL:
  'http://uk.video.search.yahoo.com/search/video?p=sophos' would be allowed due to the lowercase 's' in Sophos,
  
  
• If you are trying to block the URL: 'uk.video.search.yahoo.com/search/video?p=sophos' when accessed over HTTPS, this will fail as only the 'Server Name' can be seen as part of the Server Name Extension (SNI) extension passed in the SSL handshake.
  
  In this example you could block: uk.video.search.yahoo.com over HTTPS as this is the server name passed by the browser in the SNI attribute of the request.  The following screenshot shows how the server name is passed in the request when viewing the connection in Wireshark.  [Click to enlarge].
  
  Note: Server Name Extension (SNI) is not supported by all browsers.  For more information see http://en.wikipedia.org/wiki/Server_Name_Indication.

Why can I no longer access my IP webcam using my browser?

As a first test, try adding the IP address of the webcam to the malware scanning exclusions in Sophos Central for the policy applied to the computer.  The IP or IPs can be added as a 'Website' type exclusion.

Note: This is not a Web control customization but a Web protection exclusion as found under the malware section of the policy.

Once the computer has received the policy and the exclusion is in place, try again to access the web cam using the web browser.