This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Terminal Services

We are running a terminal server with operating system Windows 2008 R2 and that uses Sophos Endpoint Security and Control version 9.5. This terminal sever is used in a lab to allow up to 30 people to RDP into the server. We have received reports that during specified times of the day all of the remote desktop users will lose internet connection. It is still possible to establish an RDP connection and access our shared files on the terminal server which would indicate that they are still connected through the network. After some investigating, we have reason to believe one of the functions of Sophos may be blocking internet access for the remote desktop users. The event viewer on the terminal server reports Savservice.exe errors during the time Internet explorer is unavailable to browse. It appears Sophos is scanning IE during the time of the internet outage, once Sophos is complete internet browsing is restored. Have you received any reports on this or know any information we could use to correct this problem? We are hoping perhaps modifying the setting on Sophos would eliminate this problem.

Thanks in advance!

This thread was automatically locked due to age.

Parents

0 jak over 12 years ago

Hi,

The web scanning component aims to filter out threats/exploits before they hit the disk and before the browser can execute/render them. The web scanning in SAV 9.x only works with IE as it's a Browser Helper Object (BHO). In SAV 10, all the main browsers are covered as the web scanning piece is now implemented as an Layered Service Provider (LSP) rather than an IE specific BHO.

For example, if you were to download "virus.exe" with 9.x and with the BHO off, the on-access scanner would still pick up the file as it was read back by IE from disk and therefore protect the user. In the case of a virus file such as this the browser wouldn't really do much with "virus.exe" other than download it. If the web scanning was on and if the file was under 2 MB the web content scanner would send it to be scanned before written to disk so it would be picked up by the web scanning component. On-access wouldn't even see it.

The web scanning is really to have access to components of a webpage such as javascript, images, video, etc.. so they can be checked (up to 2MB) before the browser tries to work with them. So it essentially catches things earlier to reduce the chance that the browser, in this case IE, doing something with the threat before on-access gets a look in.

Jak
:20631
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jak over 12 years ago

Hi,

The web scanning component aims to filter out threats/exploits before they hit the disk and before the browser can execute/render them. The web scanning in SAV 9.x only works with IE as it's a Browser Helper Object (BHO). In SAV 10, all the main browsers are covered as the web scanning piece is now implemented as an Layered Service Provider (LSP) rather than an IE specific BHO.

For example, if you were to download "virus.exe" with 9.x and with the BHO off, the on-access scanner would still pick up the file as it was read back by IE from disk and therefore protect the user. In the case of a virus file such as this the browser wouldn't really do much with "virus.exe" other than download it. If the web scanning was on and if the file was under 2 MB the web content scanner would send it to be scanned before written to disk so it would be picked up by the web scanning component. On-access wouldn't even see it.

The web scanning is really to have access to components of a webpage such as javascript, images, video, etc.. so they can be checked (up to 2MB) before the browser tries to work with them. So it essentially catches things earlier to reduce the chance that the browser, in this case IE, doing something with the threat before on-access gets a look in.

Jak
:20631
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data