This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why does Sophos send every URL I visited to 4.sophosxl.net?

Hi, I've recently received a mac laptop for work, it runs Sophos Endpoint, I've connected it through a proxy and found it has posted every single URL I visited to https://4.sophosxl.net/lookup, why is this? It seems like a huge privacy issue. Thanks.



This thread was automatically locked due to age.
  • Hi  

    It checks for download reputation and MTD lookups. You may find more information regarding the different types of SXL lookups that are present in the Sophos Endpoint in this article. Could you confirm how are you managing your endpoints? Also, please check this earlier post for the same issue and see if it helps.

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hello Bob Johnson3,

    this is part of Sophos' Live Protection, specifically Download Reputation and Malicious Traffic Detection.
    If you think it's a huge privacy issue you can disable these features.

    Christian

  • Thanks for your answer Christian.

    I do think it's a huge privacy issue, especially in today's privacy landscape, many people (myself included) will feel very uncomfortable having all their browser history sent to a third party server. Turning off these features will defeat the point of having a security software installed. Perhaps a more privacy friendly solution would be to have the protection database downloaded locally, continuously updated, and have the checks made against the local database instead.

  • Thanks Shaweta, I'm not sure how the endpoints are being managed, I'm only a user of the work laptop having this installed.

  • Hello Bob Johnson3,

    having all their browser history sent to a third party server
    understandable concern, especially as this reveals complete URLs and not "just" the sites.
    have the protection database downloaded locally
    keep in mind that the database isn't  small. We're likely not talking about a few dozen MB here. The important part though is Live - malicious URLs are often short-lived, it doesn't make sense to distribute updates only, say, twice a day or even every few hours. OTOH to immediately distribute the updates to all users is simply not economical - diminishing marginal utility (and, BTW, Download Reputation currently doesn't work with Firefox)
    privacy
    questions are: what is sent, what is kept, for how long? Could a third party get access to the data? Is it indeed sufficient to collect your browsing history?

    I'm not trying to downplay the SXL lookups but when it comes to privacy there exist other mechanisms - that are neither communicated nor easily evaded, if at all - to profile you (and not necessarily well-intentioned).

    Christian