This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web protection is no longer functional. The filtering driver has been bypassed or unloaded [0xa058000c] Windows 10 1703

I have an open ticket with Sophos about this issue popping up on about 17 machines that were just recently updated to Windows 10 1703 from Windows 10 1607. Tried the following KB 114350 with Zero luck in getting this resolved. I have tried Uninstalling and Reinstalling both manually on the console, and through the "Protect Computers" option within the Enterprise Console.  Even created a Group with the recommended policies as suggested within the KB article with no luck on that either. going to http://sophostest.com/malware/index.html to test and verify the machines are protected results in the website not being blocked. Looking for any ideas that might help resolve this issue once in for all. 

 

Thank you,

 

Jamie



This thread was automatically locked due to age.
Parents
  • We are seeing the same problem.  The error is occurring on builds 1703 and 1709 of Windows 10 for us.  The users that are experiencing the error are not getting blocked for the test site above. I have tested on multiple browsers (Edge, IE, Chrome, Firefox) and the result is the same.  We are not seeing this issue on older versions of Windows 10.  Does Sophos have any updates on this issue?  We are planning an OS update to 1709 and this issue is preventing us from upgrading.

  • Email from Sophos Support Staff - 

     

    We have been rolling out version 10.7.6 to the Preview subscription line, which contains the fix for this issue. Not all customers have it yet, so I suggest you open your subscriptions in SEC, select "Preview" for Windows Endpoint, and click Details... If the version stated is 10.7.6, you can upgrade to this version, which contains the fix.

    It will likely take a bit longer before it goes to the Recommended line, but the software is fully complete. We just use the Preview line so customers have a chance to test in their environments before full deployment.

    NEXT Email -  

     

    just clarified with my Global escalations team.  We had to put a hold on the release of this build to preview for right now.  The reason is due to some interactions we have with Citrix and we are working on resolving that issue.  I don't have an ETA yet but I am working on finding that out.

     

     

    There is a fix in the works but currently it has not been released as of yet. Sophos is aware of the issue and hopefully they can come up with a fix ASAP.  They can identify potential virus issues but can't fix something that has been going on for months ??!

  • Oh good Thanks for the info. 

    I've got 403 endpoints flagging this and there is no way the troubleshooting steps suggested could be done practically on all those endpoints as many of them are laptops and tablets. 

    I look forward to the fix being released. 

  • Any updates on this issue or patch? I've found very similar behavior with Windows 10 PCs in our environment.

     

    Some Windows 10 systems, but not all, are reporting "Web Protection is no longer functional..." in the Enterprise Console. 

    We've tried the various fixes - re protect; modify policies, apply, reboot, re modify, apply, reboot with no changes.

    On one test system - running Win10 Enterprise 10.0.15063, Sophos Endpoint Security & Control ver. 10.7 - Web protection appears to be working in Chrome but not in Edge. However, this system does not show any errors in the Enterprise Console.

     

    Very frustrating.

  • What version are you running?  Are you running Recommended or Preview?

  • Sophos Endpoint Security & Control ver. 10.7

     

    Enterprise Console ver 5.5.0

  • Update:

    Reimaged system. It is now at Win 10 Enterprise, Version 10.0.16299 Build 16299

     

    SophosTest Malware site is blocked in Chrome and Firefox. It is not block in Edge. In IE 11, it blocked on first visit, but refreshing the page results in view the test site that is classified as Malware.

     

     

  • From the Troubleshooting that i have preformed with Sophos the following recommended settings were suggested to resolve the Web Protection issue.

     

    Select Update Managers from the Enterprise Console and view your Software Subscriptions ( Bottom Left )  Create a Preview Subscription by hitting the add button and selecting the Preview "Early Release" which will push the following Antivirus Update : Sophos Anti-Virus Version 10.7.6 V3.70.2  This is the version that has the Patch "Fix" for the Web Protection issue. 

     

    It was stated that sometime in late January that this version will be released to the Recommended Ring and at that point you can revert back all Clients to Recommended rather than Preview.

     

    I can provide more details on how to set this up with screenshots if anyone needs help.

     

     

     

Reply
  • From the Troubleshooting that i have preformed with Sophos the following recommended settings were suggested to resolve the Web Protection issue.

     

    Select Update Managers from the Enterprise Console and view your Software Subscriptions ( Bottom Left )  Create a Preview Subscription by hitting the add button and selecting the Preview "Early Release" which will push the following Antivirus Update : Sophos Anti-Virus Version 10.7.6 V3.70.2  This is the version that has the Patch "Fix" for the Web Protection issue. 

     

    It was stated that sometime in late January that this version will be released to the Recommended Ring and at that point you can revert back all Clients to Recommended rather than Preview.

     

    I can provide more details on how to set this up with screenshots if anyone needs help.

     

     

     

Children
  • Jamie / JAK

     

    Thank you for sharing the details. I am setting it up now and will apply it to a subset of test systems. I will update later with results.

     

    thanks again

    -John

  • Jamie / JAK

     

    Thank you for sharing the details. I set this up and applied it to a subset of test systems. Results are mixed. The issue with Web Protection appears to be resolved. No additional errors reported. However, Edge still does not correctly block SophoTest pages, yet Chrome and Firefox on the same system will block correctly

     

     

    -John

  • If you look at the list of processes on the computer in Process Explorer, you should see the browser processes talking to swi_fc.exe.

    Looking at the TCP/IP tab of swi_fc.exe you should see the port swi_fc.exe is listening on, e.g. 12080

    In the case of Edge, the process talking to swi_fc.exe over loopback should be MicrosoftEdgeCP.exe. 

    To identify the process making the connection, if you open Edge, drag the cross-hair icon of Process Explorer onto the Edge Window it should focus in on one of the MicrosoftEdgeCP.exe processes in question. 

    If you look at the TCP/IP tab of that process, do you see it connecting to swi_fc.exe or straight out of the computer?  If it's not pointing to the port swi_fc.exe is listening on then the redirection is not working.

    Regards,

    Jak

  • We have been getting these two from the first day we deployed SEC.

    I now have a Preview group setup but the issue for us is the W10 deployment not being done by department. so applying the preview is going to be kinda difficult.

    Has there been any know issues with 10.7.6?

  • I have been also doing some testing with Windows 10 and Preview subscriptions.

    It works but there is a flaw with subscription.  You can't have an OU that has both Preview (newest version) and recommended (current version) AV software installed.

    This can be a real big problem if you have other application that use the OU structure.

    If you create an OU just for Preview the PCs in that OU can never move to an OU that has Recommended applied because preview will uninstall and recommended will install.

    This not good and what I would call a major flaw.

    So to add to this flaw, any time preview goes recommended any endpoints that have an issue with newest version will require you adjust your AD OU structure to apply the older version.

    Correct me if I am wrong.  And if I remember right you don't get to decide if you want preview to go recommended on your SEC, it will just happen as this is what happen to us when 10.7 replaced 10.6.

  • The new update did not thing to fix this issue.

    10.7.6.128 is deployed to 99.9% of all of our endpoints.

    Why this even generates an error is confusing as we are not using the Web Controls.  The default policy for it is not enabled.

    Can anyone validate that this web protection error is tied to the Web controls and doesn't put the endpoints a risk?

     

    I have just decided to check the SEC regularly select all of the errors and Acknowledge.

  • The functionality the check is testing implements the following features:

    • Web Protection
      • Content Scanning  (F1)
      • Malicious website lookups  (F2)
    • Web Control (F3)

    Not the exact names of the features but these are the 3 features (F1, F2, F3) that utilise the functionality being checked.

    Note: by default content scanning is set to mirror on-access, i.e. if on-access scanning is enabled so is Content scanning but you can turn it off.

    It's only when the last one of the 3 features above are disabled does the component not check. 

    On Windows 7 and 2008R2, you will need to reboot once disabled all features for the features to be totally disabled.

    The Web Protection features are key security features, Web control on the other hand is just that, more to control users browsing.

    Regards,

    Jak

  • So that means with the on going Web protection is no longer functional errors the end-points are being put at risk.

    Has any one had any success at getting this error resolved or are you having the same random end pint affected like I am.

  • Well on the Windows 10 platform, I believe the check runs 5 mins after startup and then every hour.  The executables that perform the check (swi_lspdiag_64.exe and swi_lspdiag.exe) are launched from the swi_service.  This is detailed in the first activity of the thread.

    I think it's a case of the checks can work, work, work, fail, work but I don't think the final work clears the previous fail message.

    You can test if web protection/control is working at any time by going to:
    http://www.sophostest.com/

    For example: http://www.sophostest.com/malware will test malicious website lookups.

    http://www.sophostest.com/eicar will test content downloads.

    http://www.sophostest.com/adult will test web control if you're blocking/warning on the Adult category.

    Regards,

    Jak