Sophos Enterprise Console: error a058000c, Webfiltertreiber wurde entfernt oder umgangen

Hello Joachim,

there's the article regarding error a058000c that you've apparently already read and tried to follow. 
reboot[ing] over the Weekend [] had no effect what do you mean by no effect? After applying the policies and rebooting the error should, naturally, not occur. You can then reinstate the original policies. Depending on the cause the error might or might not recur. If it does, further troubleshooting is required.

Christian

If you run:

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%

A few times on these computers, does it return 0 or 1?

The error you are getting is essentially because this test is failing and not returning 0.

I'm curious to know if this is a permanent or transient issue.  For example, if you reboot and run that command, what does it return vs after you have launched a browser process for example.

Thanks for your answer  QC,

with no effect i mean, the problem pc's moved to a separate Groupe and became the original policies of  Web-Control. The Antivirus & HIPS policies was standard. I clear the errors in de SEC. The most of them PC's was shutting down on Friday and restart at Monday Morning after a while the same error massage was displayed.

Joachim

The swi_service - "Sophos Web Intelligence service" runs 
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" 
and the 64-bit version every hour and near to start-up of the swi_service to check if web protection/control is working.  

As I mentioned, if the diag process fails to connect to swi_fc.exe over 127.0.0.2 and get the diagnostic response all is OK and it fails the check and you get the error.

I don't have it to hand but if it fails the check, and then 1hr later it succeeds for example, I don't think it clears the state in SEC. Maybe you can test?

It's therefore important to know if it's a transient error or persistent as it might only take one failure in a day to give you the outstanding error state.

As a test, from a cleared error state in SEC, if you close down the browser processes, e.g. chrome/firefox/msedge/etc.  Stop the "Sophos Web Filter" service "swi_filter", then the swi_fc.exe process should exit and you can check ithis n Task Manager.

Note: It will not exit while browsers have exiting connections hence closing them.

If you run the command in a command prompt,
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%

with no swi_fc.exe process running it should return 1 (fail) as a test. This is essentially the same check swi_service runs every hour.

If you restart the swi_service service and wait, maybe 5 mins - I think there is some sort of delay.  Then it should fail and you get the error message in SEC as the diag tool will fail to connect to swi_fc.exe as it's not running. 

If you run Process Monitor for example, you will see from the Process Tree view that swi_service.exe has launched the swi_lspdiag 32 and 64-bit processes.

If you then start the swi_filter service a new swi_fc.exe will be launched.

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%
should return 0 again.

If you either wait around 1 hour for the next time swi_service.exe launches the diag processes or restart swi_service and wait around 5 mins as before, they should return 0 again but I think the error remains in SEC?

You can update the SEC CORE database to suppress the error from appearing in SEC but it would be good to know if it's a transient error.

In a browser visiting:

http://www.sophostest.com/phishing

is a test to check if web protection is working as well. That should be blocked if web protection is working.

Thanks  for answer, the return is 0

Greetings Joachim

That would suggest it's intermittent as it can work.

While that is returning 0, it would suggest going to http://www.sophostest.com/phishing in a browser would also work, i.e. you would see the block page. 

Note: it has to be HTTP for the classification of that site to work.

If it is not getting 0 from time to time, that will be the issue, the interesting thing is, what triggers the state change?

If you create a batch file (testwebc.bat), for example with the following content:

:s
echo %date% %time% >> checkres.txt
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel% >> checkres.txt
timeout /t 30
goto s

Does it go from 0 to 1 at a certain time or event?  It is sampling every 30 seconds. Could be interesting to leave for a few hours and check the checkres.txt for change.

As I mentioned, you can suppress the message showing in SEC to prevent acknowledging it, you can update the ErrorAlertFilters table with the following command on the SEC server, assuming the database is local.

sqlcmd -E -S .\sophos -d SOPHOS552 -Q "INSERT INTO ErrorAlertFilters (Source, Number) VALUES ('SAV', '-1604845556')"

where I have used:

.\sophos as the SQL instance, i.e. a local SOPHOS named instance of SQL Server which is the default.

SOPHOS552 as the CORE database name which is the case for SEC 5.5.2 - see https://support.sophos.com/support/s/article/KB-000033408 

As for the Number value 0xA058000C = -1604845556 e.g.

I'd still be interested to know why the check is presumably working and then failing.  If it's working more than it's failing, etc..

If you were to move to Central as the management platform, this web protection component is about to be replaced so this is all mute

So, I tested it, the result is always 0

OK, well that's good I suppose, so it must be very transient if the batch file was running for a while and logging in a variety of scenarios and kept returning 0.

The main issue is that if the check fails just once, you get the error message in SEC, if on the next check it's OK, the error message isn't cleared until you manually acknowledge it.  As per my previous post, if you think it's very transient and something you're happy with, updating the ErrorAlertFilters table in the SEC database with the error code to suppress it, maybe that is the best option to prevent it showing in SEC. 

The only other thing I can think of to further troubleshoot it is using the WFP policy change auditing which is off by default:

For example, the redirection from the browser processes to swi_fc.exe (the local web proxy) rely on WFP to redirect the traffic.  Sophos creates a "swi_sublayer" named sublayer as part of this and you can see it in the output of wfpstate.xml generated by running "netsh wfp show state".

If this is removed, then you would get the error.  Event log entries for the deleting of the sublayer would be another marker of when it would be failing and with the above auditing, they would go to the Security Event Log.  It is non-persistent so does appear to get removed when the services stop so you will see it added/removed but it wouldn't be expected outside of boot/shutdown and if the SAV component did a major update causing the services.

At first, thank you for your support and advice. I have all PC's separated in a new Group with Anti Virus- and Webcontrol Standard policy. After two Weeks, the PC's was after work time and Weekend  rebooting, most of them the have no more errors of Webcontrol. The peak was around 1250 PCs and today 750 PCs are falling. I hope the numbers will go to zero next week.

Greetings Joachim