Good morning! I have deployed on my environment several Windows 10 Enterprise Edition with the Sophos Endpoint Security and Control Security 10.6.3 and 10.6.4 versions installed and I'm facing randomly that suddenly the users are not able to browse the internet. Doing some troubleshooting and i found that I have from the Windows Logs several events 4227 and 4231, doing some monitoring(NETSTAT -anoq -p tcp) about the ports utilization i found that this file C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe, is opening several ephemeral ports connections.
The only solution that we found so far is to have so far is to restart the machines, but the users are not quite happy.
Based on this, there's something else that I can do?
Really appreciate your help and comments,
I am having the exact same issue as described here, i have found a work around of disabling the web intelligence and web filter services. When the issue occurs i can simply stop these services and kill the process to prevent needing to reboot.
I am having this issue on server 2016 RDS Session Hosts.
What version of SAV do you have installed?10.8.3?10.8.4?
or something else?Regards,
I am John. I have taken over this issue from Michael. We have SAV 10.8.2.
Is there a new swi_fc.exe available that can resolve this port exhaustion issue?
If not, disabling the Web Filter service is the current effective workaround. However, it seems to re-enable and start itsef possibly after a Sophos uodate etc. Not really sure why.
Hence, is there a way not to deploy the Web Filter service altogether? It appears to be part of the Anti-Virus package and not a separate application we could exclude from deployment. I also could not find any MSI switches that could be applied to the ClientPackage.msi application to not istall the Web Filter this way as well.
I beleive whenever the Sophos Managemnt Service deploys updates to the servers, it re-enables and re-starts the disable Web Filter service - this is not desirable.
not a long-term solution but if you disable Web Protection (in Central Realtime scanning (Internet)) and Web Control swi_fc.exe shouldn't interfere.
Christian is right, the issue which is now fixed as I understand it is to do with swi_fc.exe (the local web proxy) making outbound connections to addresses that aren't avialable so if you disable:Web Control in the linked policyANDThe 2 Web Protection features:
Then browsers do not send traffic to swi_fc.exe so the issue can't occur.Regards,Jak
I've seen this issue happening in Windows Server 2016 as well. A Technical Support person suggested that the loopback address (127.0.0.1) is blocked in the Web Control Policy (under Website Exceptions)
This seems to have worked - we did not observe any TCP port exhaustion issues in the last few days. So in my case I needn't block Web Protection features in the AV & HIPS policy. Might worth trying as an alternative.