This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSP.exe creating lots of traffic

We have been investigating issues with our firewalls and one thing I noticed is i have been seeing hundred and hundred of hits from ssp.exe to our firewall

Client base is over 500!


These seem to be amazon IP Address, why is it talkign too these and what is ssp.exe?



This thread was automatically locked due to age.
Parents
  • Hi,

    I've recently noticed these too since upgrading to 10.6.3 on 12 April. FW logs were being flooded with these dropped connection attempts.

    I logged a call and was told to disable the "Sophos System Protection Service" on a machine to see if it stopped, it did. I then received the reply at the end of this post. Just waiting to hear what the actual risks are of not allowing this traffic before I make the decision.

    I also got the following information about ssp.exe:
    Sophos System Protection, a new component installed in 10.6.3) uses HTTPS to perform lookups to Amazon-hosted Web servers in order to determine if processes that are connecting to external IPs/URLs/etc. without using a browser are talking to Command and Control servers. If they are, the process is quarantined and if need be, terminated. You can see the FAQ for Malicious Traffic Detection here: https://www.sophos.com/en-us/support/knowledgebase/121607.aspx
     

    "Hello,

    Since these machines do not have direct access to the internet, I would recommend disabling the Sophos System Protection service across your environment, as it doesn't seem like this feature will be usable unless you make some significant changes to your network.

    If in the future you do want to enable this feature, you'll have to whitelist the domains referenced in here:

    https://www.sophos.com/fr-fr/support/knowledgebase/117936.aspx

    You'll also have to the Whitelist the Sophos Live Protect and Sophos System Protection Processes. 

    Let me know if you have any further questions! 

    Regards,"

  • On these computers without internet access, what about adding the addresses to the hosts file?

    C:\ProgramData\Sophos\Sophos System Protection\Config\SXA.conf references:

    https://4.sophosxl.net/lookup

    C:\ProgramData\Sophos\Sophos System Protection\Config\FBA.conf references:

    https://ssp.feedback.sophos.com/ssp/v1/

    so "C:\Windows\System32\drivers\etc\hosts" could be updated with:

    127.0.0.1  4.sophosxl.net

    127.0.0.1  ssp.feedback.sophos.com

    Regards,

    Jak

  • How is the state of investigation? Can you confirm that this is a Proxy bug?

  • Do you have found  a solution for your environment? We are in the similar situation (the proxy server with authentication) and going to  disable ssp.exe via GPO

  • The only real solution would be a hotfix by Sophps for this  bug. But Sophos support is quite horrible as it seems they dont really care. We have been told to disable SSP or to rollback to an older Sophos release ^^.  What helped a litte was to redirect the traffic to the WAF by using a WPAD Proxy config. Seems to bee less cpu sonsuming if the WAF recieves the packages, but still not a suitabble solution in any way.

  • What I don't understand is, why isn't Sophos at least using the systems proxy settings?
    Sophos should implement the whole thing into the enterprise console and make it downloadable like the CIDs.
    Or better the message router forwards it to the server and the server asks for the information via proxy and send the reply back to the client. 
    Requesting direct internet Access for something like this just plain stupid and I don't think that is suitable for ANY business customers.
    Blocking ssp.exe via GPO is another thing. Manually manipulating the services of a security suite?
    THIS IS SOMETHING ONE SHOULD MANAGE THROUGH A GUI AKA (SEC).

  • Hi,

    I too fail to understand why any company selling to business customers would expect them to punch holes in their perimeter security,or place major additional load on firewalls/UTMs by using dynamic objects just to make their products work. I really hope Sophos does not join the likes of Adobe in this respect. By all means move services to the cloud, but make sure you support secure access to them. Rant over!


    I'd now like to update the community on the latest from my support case on this issue:


    Hello Paul,

    This case has been escalated to myself for further investigation.

    This is a known issue currently with development and will be fixed in an update later in the year (after Sept).   Sophos suggest the following to reduce/stop the traffic hitting the firewall.
     
      1. Open up the firewall to allow connections to 4.sophosxl.net
      2. Add a local DNS record to deny access to 4.sophosxl.net and ssp.feedback.sophos.com
      3. Add a local host entry for 4.sophosxl.net and ssp.feedback.sophos.com to point to 127.0.0.1    (this would need to be on every endpoint)

    As long as the SXL4 request receives a valid response (a deny or block will count as a valid response) it will stop sending the request every 30 seconds i would recommend as a short term fix that you look at setting a DNS record to allow these through


    I then asked if the fix would make the SSP.exe traffic use the locally configured NTLM proxy and got the following reply:

     I am afraid I am not sure how this fix is going to be implemented as of yet however I believe they are going to force the policy to apply whether the sxl lookup goes through or not. Once its succeeds on this lookup it should  continue using NTLM its just the initial connection which appears to be the issue.

    Just a shame that we cannot make use of the new security features of Sophos Endpoint and will rely on the old IDE files for now.

    The Endpoint "Web Protection/Web Control" feature has always adhered to the client proxy settings supporting NTLM along the way, so they can do it. Hopefully after the fix, the new SSP features will too.

  • Whats the state of investigation? Are we going to get some kind of  bugfix in near future? Or did sophos decide to ignore this case ?

  • We have hundreds of servers on our network so rather than modify hundreds of host files, we added these two zones/addresses to our internal DNS. Now these addresses get blackholed to the 127.0.0.X address range and our firewall drops went from >5000/minute down to ~15/minute. This is a real problem that Sophos needs to address ASAP. Our firewall was being stressed by these excessive drops not to mention the disk space these firewall logs were taking up!

    We do not allow our servers access to the Internet not even via our proxy so this SSP issue needs to be resolved. We have tried turning off SSP but it appears to restart itself.

  • Awesome Service on this Case! We are waiting for a solution since six month now. It seems Sophos doesn´t care .

  • If you look up to the top left to the icon it reads Sophos Community BETA.

    Maybe we are all in the wrong forum or maybe not, the ssp.exe feels a lot like beta.

    There are other questions regarding ssp not using proxy, maybe we have to look though the other posts... 

    At LEAST using the system proxy would help a bit.

    Maybe they are planing to put everything to the cloud like intercept x, then they will realise that they have to implement proxy support, oh well.

    About 3000 Clients.

    All I want is Anti Virus + Intercept X functionality in a single product managed by a central server with decentralized shares. Nothing more nothing less, I really hope Sophos will start to listen to their customers.. could be a bestseller,really.

  • HI ALL , 

    Our servers is located in AmazonAWS as we are using their services, We would need to Bypass Authentication for same for these URLs , as for Proxy settings you may follow the Steps below to pick up from IE. 

    1. Follow the instructions in the Microsoft article Change proxy server settings in Internet Explorer. If you cannot access Internet Explorer:
    • Click Start, type Control Panel in the search field and then click Control Panel.
    • The Control Panel window appears.
      Click Network and Internet and then click Internet Options. If you are using XP or lower, click Network and Internet Connections and then click Internet Options.
    1. Click Start and type Command Prompt in the search field. Right-click Command Prompt and then click Run as administrator.
    1. In Command Prompt, type netsh winhttp import proxy source =ie and then press Enter.
    1. Click Start and type services.msc in the search field. Right-click services.msc and then click Run as administrator.
    1. In Services, click Sophos AutoUpdate and t hen click Restart. Repeat this action for Sophos MCS Agent, Sophos MCS Client, andSophos System Protection.

    You may refer the KB article 119263 for additional information, When the SSP failed to connect it would retry for every 30 seconds . Also Enable Verbose logining and Private message me if you still face the issue  and if needed raise a Service request . If you have already raised the service request , Kindly private message me the Service Request . 

    Thanks and Regards

    Aditya Patel

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply
  • HI ALL , 

    Our servers is located in AmazonAWS as we are using their services, We would need to Bypass Authentication for same for these URLs , as for Proxy settings you may follow the Steps below to pick up from IE. 

    1. Follow the instructions in the Microsoft article Change proxy server settings in Internet Explorer. If you cannot access Internet Explorer:
    • Click Start, type Control Panel in the search field and then click Control Panel.
    • The Control Panel window appears.
      Click Network and Internet and then click Internet Options. If you are using XP or lower, click Network and Internet Connections and then click Internet Options.
    1. Click Start and type Command Prompt in the search field. Right-click Command Prompt and then click Run as administrator.
    1. In Command Prompt, type netsh winhttp import proxy source =ie and then press Enter.
    1. Click Start and type services.msc in the search field. Right-click services.msc and then click Run as administrator.
    1. In Services, click Sophos AutoUpdate and t hen click Restart. Repeat this action for Sophos MCS Agent, Sophos MCS Client, andSophos System Protection.

    You may refer the KB article 119263 for additional information, When the SSP failed to connect it would retry for every 30 seconds . Also Enable Verbose logining and Private message me if you still face the issue  and if needed raise a Service request . If you have already raised the service request , Kindly private message me the Service Request . 

    Thanks and Regards

    Aditya Patel

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Children
No Data