Web protection is no longer functional. The filtering driver has been bypassed or unloaded [0xa058000c] Windows 10 1703

Sophos Endpoint Security & Control ver. 10.7

Enterprise Console ver 5.5.0

Update:

Reimaged system. It is now at Win 10 Enterprise, Version 10.0.16299 Build 16299

SophosTest Malware site is blocked in Chrome and Firefox. It is not block in Edge. In IE 11, it blocked on first visit, but refreshing the page results in view the test site that is classified as Malware.

Also experiencing this issue across many machines.

Windows 10 pro 1709

Endpoint version: 10.7

Web control version: 1.5.1539

Firefox, Chrome block appropriately. IE11, blocks sometimes. Edge does not block at all.

Are you using Recommended or Preview?  Are they running 10.7.2 or 10.7.6?

From the Troubleshooting that i have preformed with Sophos the following recommended settings were suggested to resolve the Web Protection issue.

Select Update Managers from the Enterprise Console and view your Software Subscriptions ( Bottom Left )  Create a Preview Subscription by hitting the add button and selecting the Preview "Early Release" which will push the following Antivirus Update : Sophos Anti-Virus Version 10.7.6 V3.70.2  This is the version that has the Patch "Fix" for the Web Protection issue. 

It was stated that sometime in late January that this version will be released to the Recommended Ring and at that point you can revert back all Clients to Recommended rather than Preview.

I can provide more details on how to set this up with screenshots if anyone needs help.

Jamie / JAK

Thank you for sharing the details. I am setting it up now and will apply it to a subset of test systems. I will update later with results.

thanks again

-John

Jamie / JAK

Thank you for sharing the details. I set this up and applied it to a subset of test systems. Results are mixed. The issue with Web Protection appears to be resolved. No additional errors reported. However, Edge still does not correctly block SophoTest pages, yet Chrome and Firefox on the same system will block correctly

-John

If you look at the list of processes on the computer in Process Explorer, you should see the browser processes talking to swi_fc.exe.

Looking at the TCP/IP tab of swi_fc.exe you should see the port swi_fc.exe is listening on, e.g. 12080

In the case of Edge, the process talking to swi_fc.exe over loopback should be MicrosoftEdgeCP.exe. 

To identify the process making the connection, if you open Edge, drag the cross-hair icon of Process Explorer onto the Edge Window it should focus in on one of the MicrosoftEdgeCP.exe processes in question. 

If you look at the TCP/IP tab of that process, do you see it connecting to swi_fc.exe or straight out of the computer?  If it's not pointing to the port swi_fc.exe is listening on then the redirection is not working.

Regards,

Jak

We have been getting these two from the first day we deployed SEC.

I now have a Preview group setup but the issue for us is the W10 deployment not being done by department. so applying the preview is going to be kinda difficult.

Has there been any know issues with 10.7.6?

I have been also doing some testing with Windows 10 and Preview subscriptions.

It works but there is a flaw with subscription.  You can't have an OU that has both Preview (newest version) and recommended (current version) AV software installed.

This can be a real big problem if you have other application that use the OU structure.

If you create an OU just for Preview the PCs in that OU can never move to an OU that has Recommended applied because preview will uninstall and recommended will install.

This not good and what I would call a major flaw.

So to add to this flaw, any time preview goes recommended any endpoints that have an issue with newest version will require you adjust your AD OU structure to apply the older version.

Correct me if I am wrong.  And if I remember right you don't get to decide if you want preview to go recommended on your SEC, it will just happen as this is what happen to us when 10.7 replaced 10.6.