This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Web Control did not block blacklisted URL

hi,

 

we're trying to use Sophos Central for Enterprise Web Control feature but it seems did not work as intended

we tried to block Web Emails and tried typing the URL https://mail.yahoo.com directly and hit enter, then it seems it blocked.

however if we access https://www.yahoo.com with valid ID then click MAIL icon, it didn't block the URL.

 

from here, i can refresh the page without problem even when Sophos Endpoint Events shows "mail.yahoo.com" was blocked for my users

i tried to disable cache, but i can still refresh the page normally

 

anyone can provide advise how to fix this?

Thank You

 



This thread was automatically locked due to age.
Parents
  • Hello Sophos User1929,

    first of all, I don't have a solution.

    I could reproduce this (not with Central but with SESC though this shouldn't make a difference). What seems to happen is the following: mail.yahoo.com resolves to the same addresses as s.yimg.com that serves the various images on the Yahoo pages. The browser leaves the connection open a reuses it for the request to mail.yahoo.com. As Web Control can't inspect the HTTPS stream it can't detect that the request goes to a blocked URL.
    I tested my assumption by idling on the www.yahoo.com page until netstat showed that the connection to s.yimg,com/mail.yahoo.com and subsequently I get the expected Secure connection failed (or your browser's equivalent) when clicking on the icon.

    Might be a deliberate and clever move by Yahoo 

    Christian

Reply
  • Hello Sophos User1929,

    first of all, I don't have a solution.

    I could reproduce this (not with Central but with SESC though this shouldn't make a difference). What seems to happen is the following: mail.yahoo.com resolves to the same addresses as s.yimg.com that serves the various images on the Yahoo pages. The browser leaves the connection open a reuses it for the request to mail.yahoo.com. As Web Control can't inspect the HTTPS stream it can't detect that the request goes to a blocked URL.
    I tested my assumption by idling on the www.yahoo.com page until netstat showed that the connection to s.yimg,com/mail.yahoo.com and subsequently I get the expected Secure connection failed (or your browser's equivalent) when clicking on the icon.

    Might be a deliberate and clever move by Yahoo 

    Christian

Children
  • hi QC,

     

    Thank you for detailed information

    at least i can tell that my Sophos Endpoint still working as "intended"

    hopefully there's something Sophos can do here

     

    currently trying the same thing with Gmail, at least it didn't behave like that

    Regards