Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 7700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC Sophosupdatemgr used instead of the real user

Aymeric LAURY

hi 

my users' internet activites are distorted. In log acces, i can see the user 'sophosupdatemgr' instead of my real user. Sophos crused the real identity of my users when they access to the web.

 

see:

http://img4.hostingpics.net/pics/146154Capturecp.png

 

I want to know why sophosupdatemgr user appear in my Checkpoint webaccess log and how to disable this function . I don't understand why this sophos user need to access on the web browsing of my users.

Web protection and Web Control are disable in my SEC policies ,and he still appear. Can i disable other functions?

 

Please, don't tell me to check this with Checkpoint. 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Aymeric LAURY

    Hello Aymeric LAURY,

    very unfortunate indeed (both [:)]and seriously).
    Not being a Barracuda user the exact meaning of these icons isn't know to me. Wonder what the log tells with events 463087/88 and 478078/79. The blue icon looks like an ID card, there's no traffic though but it looks like some event or client activity causes a "user switch".

    [note to self: think through before posting]

    Does 478078/79 coincide with an endpoint UNC update?

    Christian

  • 0 in reply to QC

    id 463087/88 and 478078/79 refer toCheckpoint Identity Awardness fonction and specifically ADQuery. Here means that Checkpoint see sophosupdatemgr log off, then my user "Alexis" Log in and conversly Alexis log off then sophosupdatemgr log in.

     

    Auto update time don't matches with event 478078 and 79 time...

     

    My user never logged off today and the dst ip matches with the URL he visited. This is why i said sophos crushed the identity of the real user. I don't know what causes the user switch, but it's seems to be a sophos action.

    Maybe that will be clearer with the checkpoint Application and URL filtering log.

    http://img4.hostingpics.net/pics/630180Capturesophos.png

     

    we can see sophosupdatemgr surf the web :)

     

     

    sorry for my english :)

     

  • 0 in reply to Aymeric LAURY

    Hello Aymeric LAURY,

    your English is much better than my French.

    a sophos action
    the only one I'm aware of that uses the SophosUpdateManager account is updating. In the detailed ALUpdate log (in %ProgramData%\Sophos\AutoUpdate\Logs\) it's the line Attempting to make a connection to remote machine \\UNCpath\... which has the relevant timestamp. Naturally I can't say what the CIA (the Awareness thingy, not the U.S. entity) considers a logon or logoff. Live protection can make HTTP requests but neither would it log on as SophosUpdateManager before doing so nor connect to arbitrary hosts/addresses.
    Maybe the logoff isn't some kind of "active" logoff but just means that the Awareness function has detected what it considers a logon

    Hm, I'd connect (logon) to some network resource (share) with a user other than the two involved while browsing (or with "active" pages open) to see if this user now also appears in the logs. Wouldn't tell me how to solve the problem but at least show what's going on.

    Christian 

Unfiltered HTML