Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 3766 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to disable LSP - 10.6.3

FJ

hello all

Since the  Sophos client upgraded to 10.6.3 our firewall reported an massive increase of traffic. 

After some investigation it appears that  after LSP was automatically turned on,  all of our clients are now tryng to get to Sophos webservers.   We tried to disable LSP following the Knowledge Base article  however this has made no difference.

Sophos support are silent on this

Has anyone also seen this behaviour? or have a  suitable workaround



This thread was automatically locked due to age.
  • 0

    Hello,

    I don't think it would be the LSP.  The LSP is the DLL that is referenced in the Winsock catalog and as a result loaded processes that use Winsock such as browsers.  This is only used for older platforms such as Windows 7, Windows XP, Windows 2008. This is to enable the endpoint to proxy the connection for content scanning, web protection and web control.

    Windows 8+ uses a WFP driver to do the local proxying of web traffic.

    It sounds like you are seeing more lookups that before with say 10.3.15.  Lookups to the SophosXL servers are performed by 2 components, the swi_service.exe (Sophos Web Intelligence service), for web protection and web control and, new in 10.6.3 would be SSP.exe or Sophos System Protection service.  SSP.exe makes references to a couple of domains:

    C:\ProgramData\Sophos\Sophos System Protection\Config\sxa.conf: https://4.sophosxl.net/lookup

    C:\ProgramData\Sophos\Sophos System Protection\Config\fba.conf: https://ssp.feedback.sophos.com/ssp/v1/

    I suspect you're seeing lookups to 4.sophosxl.net.

    Can you whitelist this in some way?

    I guess you could always "hostfile"

    127.0.0.1 4.sophosxl.net

    to prevent the lookups but then you would be loosing protection.

    Maybe have a chat with Support once you've proved it's lookups from SSP.

    Hope it helps.

    Regards,

    Jak

Unfiltered HTML