This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Control issues after Windows 7 to Windows 10 upgrade

We've just started testing for Windows 10 roll-out, and have come across a strange issue. We do not use Web Control, however when a machine is upgraded from Windows 7 to Windows 10, with the latest client installed (10.6) users can no longer browse the internet from any browser. Disabling the "Web Filtering" service instantly resolves the issue, however we are confused as to how it is causing issues, as it is not supposed to be enabled.

I found this post which appears to be a similar problem, but there is no answer as to how to resolve the problem.

When running the windows upgrade, it did not flag Sophos as needing to be uninstalled/reinstalled.

Can anyone provide guidance on how to resolve this.

Thanks 



This thread was automatically locked due to age.
  • Hello,

    There are 2 features that rely on the endpoint web proxy.  

    1. Web Protection - which consists of the sub-features, content scanning and malicious website lookups.
    2. Web Control.

    By default, content scanning is on if on-access is on which is also the default so it's likely to be on. Malicious website is also enabled by default so network traffic from browser processes, chrome, IE, opera, etc.. will be proxied even if Web Control is turned off.

    In Windows 7, the web traffic was intercepted with the use of a Layered Service Provider - LSP.  I.e. Sophos installs a LSP in the Winsock catalog.  This way any process that uses Winsock will have the Sophos LSP loaded.  If the traffic is web traffic and from a browser the traffic is filtered.

    On Windows 10, a LSP is not used, but a WFP callout driver is.  LSPs are a thing of the past, WFP is the future.  So the way the traffic is hooked has changed. After you upgraded to Windows 10, the LSP should have been removed and the WFP driver installed.

    You can test that the Sophos callout driver is installed/running with the following command in a command prompt:

    sc query swi_callout

    After that I would initially suggest running in an admin command prompt:

    netsh winsock show catalog > winsockcatalog.txt

    There should be no reference in the Winsock catalog to Sophos DLLs on Windows 10 computers.  If you run the same command on a Windows 7 computer you will see the Sophos LSP.

    Also on Windows 7, (with at least one of the web protection/control features enabled) if you look at the loaded modules of a process in say, Process Explorer you can see a process such as Chrome, I.E. etc that loads Winsock (ws2_32.dll) will also load the Sophos LSP.  

    On Windows 10, there are no Sophos DLLs loaded into the processes, it's all done out of process.

    If the upgrade has completed OK and the LSP has been removed. Then on Windows 10, If you look in Process Explorer, you should see a couple of new processes.

    swi_filter.exe (Sophos Web Filter service), with a child process of swi_fc.exe.  swi_fc.exe essentially listens on 12080 (by default) and browser traffic is redirected to this port to proxy the connection and be able to inspect it.

    Maybe you have other applications that are using WFP technology to redirect/inspect traffic on these computers?  Any other security software/web protection software installed?  

    If you run (as admin):

    netsh wfp show filters

    It will create a file called fiters.xml.  At the bottom of that file is a providers section, do you see any other third-party software mentioned?

    Feel free to make this file available.

    Regards,

    Jak

     

  • Thanks for the detailed information Jak, that makes it clear.

    I'll give your suggestions a try and let you know what I find.

    Cheers

    Steve

  • Hi Jak,

    We've now tried everything we can think of, including your suggestions, and none of them have resolved the issue.

    There are no other applications using WFP redirect on these machines. We've tried reinstalling the Sophos agent, resetting and reinstalling IE and even repairing the windows install, but the problem still persists.

    Currently as a work around the users are having to stop the Web Filtering service in order to be able to user Internet explorer, however this is troublesome as of course the Sophos agent keeps starting it again.

    Are there any other steps we can try, as we don't want to have to re-install windows to get around this problem.

    Regards

    Steve

  • Hi,

    Do you see the swi_fc.exe process listed in Process Explorer - technet.microsoft.com/.../processexplorer.aspx

    If so, when you look under the TCP tab, do you see it listening?

    Can you see any browsers connecting to this listening port?

    If you look at the browser Processes in Process Explorer - TCP tab, do you see them trying to connect to swi_fc.exe?

    What are the state of these connections?  Syn sent from the browser?

    I would suggest that you might beed to engage with Support so they can take a look.

    Regards,

    Jak

  • Hi Jak,

    Yes we can see swi_fc.exe open 3 ports, 2 with the state "FIN_WAIT2" and the other state "Listening".

    Checking iexplorer.exe tcp tab, there is nothing listed at all.

    Thanks

    Steve