Sophos Central: Web Control Frequently Asked Questions

  • Article ID: 121797
  • Updated: 18 Jun 2020
  • 10 people found this helpful

Overview

This knowledge base article provides a list of frequently asked questions regarding Web control in Sophos Central.

The following sections are covered:

Applies to the following Sophos products and versions
Central Endpoint Advanced 11.5.11
Central Endpoint Standard 11.5.11
Sophos Central Managed Server 1.5.6
Sophos Endpoint Security and Control 10.8.2
UTM Managed Endpoint (Windows 2000+)

How does Web control relate or differ from Web protection

The following list of bullet points will help you to differentiate between the two features:

  • The Web protection feature is part of Sophos Anti-Virus and is included with all Sophos Central licenses that include this product. This feature is designed to prevent threats from reaching the web browser.

  • Web control is an additional feature available in the following licenses:

    • Sophos Central Endpoint Protection Advanced.
    • Sophos Central Enduser Protection.
    • Sophos Central Server Advanced Protection.

  • Web control is focused on giving the administrator control over web browsing with specific differences between User Policies and Server Policies:

    • User Policies

      • Block by category of the site
      • Block particular file types or specific websites
      • Prevent access to sites that increase the risk to the organization.
      • Help improve productivity and potentially limit bandwidth.
      • Policies for Web control can also be configured to apply to users only at certain times of the day if required.
      • Applies to the logged on User

    • Server Policies

      • Provides control of potentially inappropriate websites for acceptable use by site category.
      • Applies to any account that accesses the internet from the server.

  • Web protection prevents web-based threats from reaching the browser in two ways:

    • They block the access to websites that are deemed to be malicious by SophosLabs. This is achieved by endpoint performing a real-life lookup to the infrastructure of Sophos servers to classify the sites.

      Notes

      • The following SophosLabs page provides a way to request a reassessment of a web page if you feel a page has been wrongly classified.
      • The Malware test page as provided by SophosLabs can be used to check if this functionality is operational.

    • Web control and Web protection use the same methods to intercept traffic as seen by the browser and provide feedback to the user. For example on a Windows computer, the hook to intercept web traffic is a Layered Service Provider (LSP) for Windows XP/2003/2008/2008 R2/Vista and Windows 7 and for Windows 8/8.1 and Windows 2012/2012 R2 it is a Windows Filtering Platform (WFP) driver.

      Note: Web control is not available on Windows Server 2003.

How to check if the Web Control is working

This depends on the policy that is configured in Sophos Central, the test that needs to be performed may differ. This answer provides the most common way to test Web Control functionality is working. Use the malware test page to test the category classification.

In addition to checking the Events report in Sophos Central for Web control events, the endpoint logs or behaviors can also be checked or observed to see evidence of Web control being operational:

  • Mac

    The Sophos Anti-Virus.log file in /Library/Logs/ can be checked. For example, when a block action is taken against facebook.com, the following line can be found in the log file:

    com.sophos.webintelligence: [Date] [Time] Policy action 'block' on 'https://www.facebook.com'

    Note:     There is no visible indication provide for HTTPS page interceptions. The browser will display messages such as Safari Can't Open the Page or This webpage is not available.

    Example screenshots:

  • Windows

    Either a notification popup will be displayed or the browser will display a page detailing the content that has been blocked or warned. HTTPS websites will display a message Website cannot be found and no toast notification will be displayed.

  • Mobile

    Sophos Central provides a Mobile Device Management (MDM) product only at this time. There is no Web Control on iOS or Android at this time.

How to check if the client has the latest policy from Sophos Central

For more information of what to check, see Understanding and troubleshooting policy compliance of devices managed by Sophos Central.

How to prevent the balloon messages being displayed to users

Balloon or Toast messages can be suppressed if required by the article 'Website blocked' popups are constantly appearing on web pages.

How to enable verbose logging on the endpoint

It is possible to obtain trace logging for both Web protection and the Web control components on the endpoint. Please contact Sophos Support quoting How to enable Sophos Web Intelligence (Web Protection feature) and Web Control logging and they will best guide you with the appropriate level of logging.

Why are file types such as a .pdf, flash and executable files blocked for the users

This may be correct based on the Web control policy configured for the user. The following steps should be followed to determine the correct behavior.

  1. Log in to Sophos Central Admin.
  2. Navigate to Policies.
  3. If there are multiple policies and the customer doesn't know which policy applies, it is recommended to search for the user by name.
  4. Once the policy has been identified, click Web Control.
  5. Check the File Type Access section and then the Risky file downloads options selected.
  6. Adjust the settings of the policy as required.

Does Web control work on iOS, Android devices or Linux servers

Not at this time. Web control is only available on Windows and Mac.

Why are some files blocked based on the Additional security options settings and others are allowed

Under the Additional security options of the web control policy, it is possible to control access to individual file types. For example, the customer can block executable files. These checks are also subject to SXL lookups to see if they are from a trusted source. For example, an executable file from Microsoft or Apple is not subject to the same checks as that from an unknown source.

Note: The security options on risky file types, which is one of the functions of the web control, currently does not work on HTTPS websites. Alternatively, you can block the root domain of the website or the website's category from where the file is being downloaded.

How to exempt a website

One way to exempt a website is to use tags. For example, if the customer wanted to allow the site uk.video.search.yahoo.com, that was previously blocked the customer could do as follows:

  1. Navigate to Global Settings then select Website Management.
  2. Click Add.
  3. Enter the address uk.video.search.yahoo.com.
  4. Create a new tag called Allow for example.
  5. Click Save.
  6. The Website Management page should reflect the new entry.
  7. In the Web control policy linked to the users that the customer wishes to allow the site, under the section Control sites tagged in Website Management, he can add an choose to Allow the Allow tag.
  8. After saving the updated policy, within about 30 seconds the computer should now allow the site specified when it was previously blocked.

Note: It is also possible to override the category of a site in a similar way using the Website Management page.

Why is the exemption setup not behaving as expected

There are a few reasons which may explain why a site doesn't behave as expected.

Note: See the question How to check if the client has the latest policy from Sophos Central to check the client has the updated policy if in any doubt.

  • If the customer is attempting to warn on a website, this will not work on a site if accessed over HTTPS. The page will be displayed. The warn page cannot be injected into the returned page when viewed over HTTPS.

  • If the customer is trying to block a specific URL using the website customization list, for example: http://uk.video.search.yahoo.com/search/video?p=Sophos.

    This is a case-sensitive, so the URL:
    http://uk.video.search.yahoo.com/search/video?p=sophos would be allowed due to the lowercase 's' in Sophos.

  • If the customer is trying to block the URL: uk.video.search.yahoo.com/search/video?p=sophos when accessed over HTTPS, this will fail as only the Server Name can be seen as part of the Server Name Extension (SNI) extension passed in the SSL handshake.

In this example, the customer could block: uk.video.search.yahoo.com over HTTPS as this is the server name passed by the browser in the SNI attribute of the request. The following screenshot shows how the server name is passed in the request when viewing the connection in Wireshark.

Note: Server Name Extension (SNI) is not supported by all browsers. For more information see Server Name Indication.

Why can I no longer access my IP webcam using a browser?

As a first test, try adding the IP address of the webcam to the malware scanning exclusions in Sophos Central for the policy applied to the computer. The IP or IPs can be added as a Website type exclusion.

Note: This is not a Web control customization but a Web protection exclusion as found under the malware section of the policy.

Once the computer has received the policy and the exclusion is in place, try again to access the webcam using the web browser.

Related information

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

Sophos Footer