Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I'm seeing a lot of outgoing traffic from SSP.exe on machines that don't have internet access. I am reluctant to configure system wide proxy settings, but would like ideally to set a proxy specifically for SSP and other SEP components that require internet access rather than SEC connectivity. Failing that is there a way to prevent SSP from talking to the internet that can be configured from SEC?
Hello Jeremy Gainsford,
machines that don't have internet accessso what's the problem - that SSP is hammering against the firewall? Or that you want to let SSP through so that it can be fully functional?AFAIK all components that consult or feedback to the cloud use the Windows system proxy settings. Under ProgramData there's a Config folder for SSP, insome of the files there are Sophos URLs that SSP connects to - perhaps you could either whitelist them in the firewall or blackhole them with \etc\hosts.
In reply to QC:
Like I said. I'm not eager to set system wide proxy settings. The machines in question are running software which is known to be insecure. Can't change the software, it's LoB stuff that's attached to expensive hardware. So I'm tying for the least pessimal solution.
Given that these computers are subject to 3rd party engineers turning up and sticking USB sticks in them (a practice there's organisational resistance to changing) I'm reluctant to turn off protection that Sophos describe as necessary.
In reply to Jeremy Gainsford:
so you want the Sophos components to be able to connect to the cloud but otherwise block Internet access? Is this correct?As these connections are only to known Sophos domains IMO a network firewall should do it.
Sure, and if they were connecting to IPs rather than to host names I'd happily use a network firewall for this.
I'm assuming from your responses that there's either not a Sophos specific proxy setting, or if there is you don't know about it?
you don't knowcorrect. The names used resolve to hosts on CDNs so the actual IPs depend on your ISP Unfortunately there's no concise and comprehensible article which names you'd have to check (the article on SXL is not overly helpful IMO). Nevertheless there are, as said, two names in the SSP config files which are likely the most important or only applicable - as you generally don't permit outside connections neither Web Protection/Control, download reputation, nor MTD/NTP should come into play.
[Edit]It seems that the URLs ssp uses are 4.sophosxl.net and ssp.feedback.sophos.com - from "here" these resolve to 10 addresses in total.[/Edit]
To add to what QC has already mentioned (i'm currently following up with our team regarding publishing a KB that summarizes this).
Here are some related KB's that contain info you might be interested in: