This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console: error a058000c, Webfiltertreiber wurde entfernt oder umgangen

Since October 2021 more and more Computers have the same Problem: a058000c - Web Protection is no longer functional. The filtering driver has been bypassed or unloaded.

It starts with 30 Computers and at Thursday i move them to a special Groupe, where in the Antivirus- and Hips policies the Web protection the two options are Off (Block access to malicious websites and Content Scanning)

The policy "Web Control" was set to standard (deaktivated)

On Monday all 30 PC was rebooted over the Weekend and had no effected.

In the moment we had over 500 PC's with the Problem: a058000c - Web Protection is no longer functional. The filtering driver has been bypassed or unloaded.

Have someone the same Problem and a working solution?

We use Windows 10 LTSB/ LTSC, Sophos Client 10.8, Sophos Enterprise Console 5.5.2

Thanks in advanced

Joachim



This thread was automatically locked due to age.
Parents
  • Hello Joachim,

    there's the article regarding error a058000c that you've apparently already read and tried to follow. 
    reboot[ing] over the Weekend [] had no effect what do you mean by no effect? After applying the policies and rebooting the error should, naturally, not occur. You can then reinstate the original policies. Depending on the cause the error might or might not recur. If it does, further troubleshooting is required.

    Christian

  • Thanks for your answer  QC,

    with no effect i mean, the problem pc's moved to a separate Groupe and became the original policies of  Web-Control. The Antivirus & HIPS policies was standard. I clear the errors in de SEC. The most of them PC's was shutting down on Friday and restart at Monday Morning after a while the same error massage was displayed.

    Joachim

  • The swi_service - "Sophos Web Intelligence service" runs 
    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" 
    and the 64-bit version every hour and near to start-up of the swi_service to check if web protection/control is working.  

    As I mentioned, if the diag process fails to connect to swi_fc.exe over 127.0.0.2 and get the diagnostic response all is OK and it fails the check and you get the error.

    I don't have it to hand but if it fails the check, and then 1hr later it succeeds for example, I don't think it clears the state in SEC. Maybe you can test?

    It's therefore important to know if it's a transient error or persistent as it might only take one failure in a day to give you the outstanding error state.

    As a test, from a cleared error state in SEC, if you close down the browser processes, e.g. chrome/firefox/msedge/etc.  Stop the "Sophos Web Filter" service "swi_filter", then the swi_fc.exe process should exit and you can check ithis n Task Manager.

    Note: It will not exit while browsers have exiting connections hence closing them.

    If you run the command in a command prompt,
    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%

    with no swi_fc.exe process running it should return 1 (fail) as a test. This is essentially the same check swi_service runs every hour.

    If you restart the swi_service service and wait, maybe 5 mins - I think there is some sort of delay.  Then it should fail and you get the error message in SEC as the diag tool will fail to connect to swi_fc.exe as it's not running. 

    If you run Process Monitor for example, you will see from the Process Tree view that swi_service.exe has launched the swi_lspdiag 32 and 64-bit processes.

    If you then start the swi_filter service a new swi_fc.exe will be launched.

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%
    should return 0 again.

    If you either wait around 1 hour for the next time swi_service.exe launches the diag processes or restart swi_service and wait around 5 mins as before, they should return 0 again but I think the error remains in SEC?

    You can update the SEC CORE database to suppress the error from appearing in SEC but it would be good to know if it's a transient error.

    In a browser visiting:

    http://www.sophostest.com/phishing

    is a test to check if web protection is working as well. That should be blocked if web protection is working.

Reply
  • The swi_service - "Sophos Web Intelligence service" runs 
    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" 
    and the 64-bit version every hour and near to start-up of the swi_service to check if web protection/control is working.  

    As I mentioned, if the diag process fails to connect to swi_fc.exe over 127.0.0.2 and get the diagnostic response all is OK and it fails the check and you get the error.

    I don't have it to hand but if it fails the check, and then 1hr later it succeeds for example, I don't think it clears the state in SEC. Maybe you can test?

    It's therefore important to know if it's a transient error or persistent as it might only take one failure in a day to give you the outstanding error state.

    As a test, from a cleared error state in SEC, if you close down the browser processes, e.g. chrome/firefox/msedge/etc.  Stop the "Sophos Web Filter" service "swi_filter", then the swi_fc.exe process should exit and you can check ithis n Task Manager.

    Note: It will not exit while browsers have exiting connections hence closing them.

    If you run the command in a command prompt,
    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%

    with no swi_fc.exe process running it should return 1 (fail) as a test. This is essentially the same check swi_service runs every hour.

    If you restart the swi_service service and wait, maybe 5 mins - I think there is some sort of delay.  Then it should fail and you get the error message in SEC as the diag tool will fail to connect to swi_fc.exe as it's not running. 

    If you run Process Monitor for example, you will see from the Process Tree view that swi_service.exe has launched the swi_lspdiag 32 and 64-bit processes.

    If you then start the swi_filter service a new swi_fc.exe will be launched.

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%
    should return 0 again.

    If you either wait around 1 hour for the next time swi_service.exe launches the diag processes or restart swi_service and wait around 5 mins as before, they should return 0 again but I think the error remains in SEC?

    You can update the SEC CORE database to suppress the error from appearing in SEC but it would be good to know if it's a transient error.

    In a browser visiting:

    http://www.sophostest.com/phishing

    is a test to check if web protection is working as well. That should be blocked if web protection is working.

Children
No Data