Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Not Planned

XGS: UTQ customization

Not all businesses follow the same web restrictions.  Our business is expected to visit sites with Alcohol - yet, we cannot customize the UTQ to indicate Alcohol (& Tobacco) are acceptable.  UTQ still reports it as risky behavior.  We have already set Alcohol & Tobacco category as acceptable.

Please expand the documentation here:

Sophos Firewall: User Threat Quotient report

To indicate how to customize what is considered risky.

Sophos Techs have indicated we should have a web policy disabling logging - this is a very poor answer as you can only have 1 web policy per firewall rule and therefore if you want to apply other categories and log those you are out of luck.

  • Apologies for the late reply. From my conversation with one of our senior engineers, the "customization" you are after is currently not possible. This might be a feature request that you can forward to your Sophos partner or sales representative, and they will then coordinate this with any of our sales engineers who can enter the request into our systems.

    If you want your firewall configuration to be checked further to allow alcohol and tobacco-related searches from your concerned users not to be tagged as threats in the UTQ report, you might want to consider the assistance from our Professional Services team.

  • Following as I would also like to exclude alcohol and tobacco from the UTQ report as its all it seems to fill up with. I'd rather see a clean report than know my users went to see the local liquor specials.

  • You are correct - this feedback comes from this case.  It was always logged - a colleague, also a Sophos Certified Architect, resolved my concern in the past (for 2 users) without disabling logging.  Clearly, we want it logged, just not considered a risk.  He did this without adding additional firewall rules - and certainly not adding a top level firewall rule which skips all other intentionally designed firewall rules..  

    Specifically, this is about customizing what UTQ considers a threat.  Right now, it appears it's a Sophos algorithm behind a curtain. I'm not looking for a button - I just want to set what is acceptable (vs objectionable).  Presently, my UTQ score is skewed because of the "relative score" method and the alcohol & tobacco category.

  • Hi ,

    Good day.

    If this is related to Support case 06457647, from my understanding, the Alcohol & Tobacco category is still being logged for your concerned users since the associated policy has the logging and reporting turned on. An email about this was sent to you last 28 April.

    You are correct; we can only use one web policy per rule. What I am thinking is to have separate web policies with one that only contains "Alcohol & Tobacco" but "logging and reporting" is turned off and another web policy that has the remaining categories but has "logging and reporting" selected. 

    Regarding the "customize the UTQ" you mentioned, are you referring to something like a button to accept or acknowledge the UTQ event?  If not, kindly elaborate further. Thanks.

  • Thank you for your feedback,  

    We will have a look into this and get back to you.