Sophos Enterprise Console: error a058000c, Webfiltertreiber wurde entfernt oder umgangen

Hello Joachim,

there's the article regarding error a058000c that you've apparently already read and tried to follow. 
reboot[ing] over the Weekend [] had no effect what do you mean by no effect? After applying the policies and rebooting the error should, naturally, not occur. You can then reinstate the original policies. Depending on the cause the error might or might not recur. If it does, further troubleshooting is required.

Christian

Thanks for your answer  QC,

with no effect i mean, the problem pc's moved to a separate Groupe and became the original policies of  Web-Control. The Antivirus & HIPS policies was standard. I clear the errors in de SEC. The most of them PC's was shutting down on Friday and restart at Monday Morning after a while the same error massage was displayed.

Joachim

Thanks for your answer  QC,

with no effect i mean, the problem pc's moved to a separate Groupe and became the original policies of  Web-Control. The Antivirus & HIPS policies was standard. I clear the errors in de SEC. The most of them PC's was shutting down on Friday and restart at Monday Morning after a while the same error massage was displayed.

Joachim

The swi_service - "Sophos Web Intelligence service" runs 
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" 
and the 64-bit version every hour and near to start-up of the swi_service to check if web protection/control is working.  

As I mentioned, if the diag process fails to connect to swi_fc.exe over 127.0.0.2 and get the diagnostic response all is OK and it fails the check and you get the error.

I don't have it to hand but if it fails the check, and then 1hr later it succeeds for example, I don't think it clears the state in SEC. Maybe you can test?

It's therefore important to know if it's a transient error or persistent as it might only take one failure in a day to give you the outstanding error state.

As a test, from a cleared error state in SEC, if you close down the browser processes, e.g. chrome/firefox/msedge/etc.  Stop the "Sophos Web Filter" service "swi_filter", then the swi_fc.exe process should exit and you can check ithis n Task Manager.

Note: It will not exit while browsers have exiting connections hence closing them.

If you run the command in a command prompt,
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%

with no swi_fc.exe process running it should return 1 (fail) as a test. This is essentially the same check swi_service runs every hour.

If you restart the swi_service service and wait, maybe 5 mins - I think there is some sort of delay.  Then it should fail and you get the error message in SEC as the diag tool will fail to connect to swi_fc.exe as it's not running. 

If you run Process Monitor for example, you will see from the Process Tree view that swi_service.exe has launched the swi_lspdiag 32 and 64-bit processes.

If you then start the swi_filter service a new swi_fc.exe will be launched.

"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%
should return 0 again.

If you either wait around 1 hour for the next time swi_service.exe launches the diag processes or restart swi_service and wait around 5 mins as before, they should return 0 again but I think the error remains in SEC?

You can update the SEC CORE database to suppress the error from appearing in SEC but it would be good to know if it's a transient error.

In a browser visiting:

http://www.sophostest.com/phishing

is a test to check if web protection is working as well. That should be blocked if web protection is working.