This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console: error a058000c, Webfiltertreiber wurde entfernt oder umgangen

Since October 2021 more and more Computers have the same Problem: a058000c - Web Protection is no longer functional. The filtering driver has been bypassed or unloaded.

It starts with 30 Computers and at Thursday i move them to a special Groupe, where in the Antivirus- and Hips policies the Web protection the two options are Off (Block access to malicious websites and Content Scanning)

The policy "Web Control" was set to standard (deaktivated)

On Monday all 30 PC was rebooted over the Weekend and had no effected.

In the moment we had over 500 PC's with the Problem: a058000c - Web Protection is no longer functional. The filtering driver has been bypassed or unloaded.

Have someone the same Problem and a working solution?

We use Windows 10 LTSB/ LTSC, Sophos Client 10.8, Sophos Enterprise Console 5.5.2

Thanks in advanced

Joachim



This thread was automatically locked due to age.
Parents
  • If you run:

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel%

    A few times on these computers, does it return 0 or 1?

    The error you are getting is essentially because this test is failing and not returning 0.

    I'm curious to know if this is a permanent or transient issue.  For example, if you reboot and run that command, what does it return vs after you have launched a browser process for example.

  • Thanks  for answer, the return is 0

    Greetings Joachim

  • That would suggest it's intermittent as it can work.

    While that is returning 0, it would suggest going to http://www.sophostest.com/phishing in a browser would also work, i.e. you would see the block page. 

    Note: it has to be HTTP for the classification of that site to work.

    If it is not getting 0 from time to time, that will be the issue, the interesting thing is, what triggers the state change?

    If you create a batch file (testwebc.bat), for example with the following content:

    :s
    echo %date% %time% >> checkres.txt
    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe" & echo %errorlevel% >> checkres.txt
    timeout /t 30
    goto s

    Does it go from 0 to 1 at a certain time or event?  It is sampling every 30 seconds. Could be interesting to leave for a few hours and check the checkres.txt for change.

  • As I mentioned, you can suppress the message showing in SEC to prevent acknowledging it, you can update the ErrorAlertFilters table with the following command on the SEC server, assuming the database is local.

    sqlcmd -E -S .\sophos -d SOPHOS552 -Q "INSERT INTO ErrorAlertFilters (Source, Number) VALUES ('SAV', '-1604845556')"

    where I have used:

    .\sophos as the SQL instance, i.e. a local SOPHOS named instance of SQL Server which is the default.

    SOPHOS552 as the CORE database name which is the case for SEC 5.5.2 - see https://support.sophos.com/support/s/article/KB-000033408 

    As for the Number value 0xA058000C = -1604845556 e.g.

    I'd still be interested to know why the check is presumably working and then failing.  If it's working more than it's failing, etc..

    If you were to move to Central as the management platform, this web protection component is about to be replaced so this is all mute Slight smile

  • So, I tested it, the result is always 0

  • OK, well that's good I suppose, so it must be very transient if the batch file was running for a while and logging in a variety of scenarios and kept returning 0.

    The main issue is that if the check fails just once, you get the error message in SEC, if on the next check it's OK, the error message isn't cleared until you manually acknowledge it.  As per my previous post, if you think it's very transient and something you're happy with, updating the ErrorAlertFilters table in the SEC database with the error code to suppress it, maybe that is the best option to prevent it showing in SEC. 

    The only other thing I can think of to further troubleshoot it is using the WFP policy change auditing which is off by default:

    For example, the redirection from the browser processes to swi_fc.exe (the local web proxy) rely on WFP to redirect the traffic.  Sophos creates a "swi_sublayer" named sublayer as part of this and you can see it in the output of wfpstate.xml generated by running "netsh wfp show state".

    If this is removed, then you would get the error.  Event log entries for the deleting of the sublayer would be another marker of when it would be failing and with the above auditing, they would go to the Security Event Log.  It is non-persistent so does appear to get removed when the services stop so you will see it added/removed but it wouldn't be expected outside of boot/shutdown and if the SAV component did a major update causing the services.

  • At first, thank you for your support and advice. I have all PC's separated in a new Group with Anti Virus- and Webcontrol Standard policy. After two Weeks, the PC's was after work time and Weekend  rebooting, most of them the have no more errors of Webcontrol. The peak was around 1250 PCs and today 750 PCs are falling. I hope the numbers will go to zero next week.

    Greetings Joachim

Reply
  • At first, thank you for your support and advice. I have all PC's separated in a new Group with Anti Virus- and Webcontrol Standard policy. After two Weeks, the PC's was after work time and Weekend  rebooting, most of them the have no more errors of Webcontrol. The peak was around 1250 PCs and today 750 PCs are falling. I hope the numbers will go to zero next week.

    Greetings Joachim

Children
No Data