Server Sent Events blocked by Download Scanner

The "Block malicious downloads" feature prevents the HTML5 feature Server Sent Events (SSE) from working properly. As the SSE works over HTTP using text/event-stream as content-type it looks like a never-ending download. The scanner holds the SSE message until the channel breaks for some reason and hands over the message to the browser. This behavior prevents a reasonable use of SSE in a web application, which is a real pity. Are there any plans to resolve this issue in one of the next releases of Sophos Endpoint Software or do I have to live with that?

Using websockets or long polling is not what I want, because SSEs provide exactly what I need (part of HTTP, no resource intense polling, ....). As SSEs are part of the HTML5 standard your software should be aware of that and provide a real solution besides turning off the download protection which is not an option for my company. I read some threads about SSEs and download protection, but there is no clear statement from Sophos on how this problem will (or will not) be resolved in the future.
Could you please clarify that issue a little bit, so I can plan my next actions. If I have to switch to websockets, I'd like to know if I have to expect similar problems.

As a hint: If you really feel the need to scan every text download including text/event-stream ones, you can detect the individual messages by the trailing double-newline and hand over the single messages to the browser. This would be okay for me and would not sabotage every application that wants to use SSEs.

Thank you.
Ulrich Jansen

  • Hi,

    Could you publish or link to a simple example page using this technology that fails?

    Does this have the problem for you?
    www.w3schools.com/.../tryit.asp

    If you stop the SAVService, open factory.xml (C:\ProgramData\Sophos\Sophos Anti-Virus\Config\) and edit the line:
    <contentSizeLimit>2048</contentSizeLimit>
    such that it's, say, 10, save it and start the service, does it work then, is it waiting for a 2MB buffer to fill?

    Regards,
    Jak
  • Hi Ulrich,

    I've had a closer look at this and I can see that if you did send a number of messages down the same event stream, as you say the 'download' would in effect not 'complete'.  Sophos would proxy this connection/data and wait for the 2MB buffer to fill, so it would take as long as it takes to send that much data.  If it's just a 'ping' or 'no-op' this could take sometime and would feel like a failure or a time-out would be reached.  So my previous info about changing the buffer size would probably 'work' but the number would probably be so low you may as well turn content scanning off.  

    As this text/event-stream could be anything the client could put back together you can't just allow it I suppose so a bit of a conundrum.

    One workaround (which wouldn't require you to turn off the feature) would be to add a website authorization for the source IP of the stream.  So for Sophos Home it would be under the devices configuration - 'Web Protection Exceptions'.  For SEC managed it would be under the AV policy as a website authorization and for Cloud you could put it under: https://cloud.sophos.com/manage/config/settings/scanning-exclusions as a website exclusion.

    Hope it helps.

    Regards,

    Jak