How to allow checkpoint SSL extender

Hi all

I'm new to Sophos, so my apologies if the solution is blatantly obvious!

I have a technician who is required to connect to a Checkpoint extender client to remotely access clients. The process he follows is:

Connects to a website which checks his system for compatibility (looks for java, etc)

Once passed, it will then install, in his temp folder, the Checkpoint SSL Network Extender (STAProxy.exe) and runs it so the technician can then remote into the client.

Sophos is somehow stopping the extender from running, though it allows the actual client to download to the temp folder.  To allow it to work, I must disable the Web Control and the AV Web Protection options ("Block access to malicious sites" and "Content Scanning" must be off). 

NOTE: I am not using the network protection module. 

I have added exceptions in the AV Authorisations to the site, the staproxy.exe, the dll, and the folder but this does not help. I've also changed my Web COntrol settings to warn, instead of block, and it didn't help.

The Anti-virus log file on the client does not show anything so I don't know how it is being blocked, and I've set the logging to verbose.

I found an article on the checkpoint site detailing that I need to "Add an exception for localhost TCP port 7777 on the Sophos Antivirus Web Monitor." But I can't seem to find a way to do this in the web monitor settings on the management console.

Oddly enough, if I manually run the staproxy.exe from the temp folder then go back to the web-page and initiate the connection, it works. It's the automated workflow of pressing the connection button on the webpage that is somehow being stopped.

Any guidance would be greatly appreciated.

Checkpoint article link

supportcenter.checkpoint.com/.../portal

  • Hello IT Manager,

    I'm not sure I understand correctly what works and what doesn't, so allow me some questions:
    staproxy.exe is downloaded to %TEMP% regardless of the settings?
    At this point you can manually start staproxy.exe and clicking the connect button again the connection is established?
    In order to allow it to run automatically you have to turn off Web Protection and Web Control (completely off as warn causes it to fail)?

    It's somewhat strange that neither the AV nor the WC log show a message, and also that it can be run manually. Sysinternal's (Microsoft's) Process Monitor would show whether staproxy.exe isn't run at all or quickly quits after performing some checks.

    Christian 

  • In reply to QC:

    Hi Christian

    Staproxy.exe and its relevant dlls. etc are downloaded to the temp folder inside its own folder regardless of settings. I tested by deleting the folder and watching it recreate while the AV and WC modules were enabled.

    I had a play last night and did notice that with the AV and WC settings are enabled, the staproxy.exe IS run but very quickly closed. No logs are shown unfortunately, so I am unsure what module/list, etc is blocking it when automatically loaded.

    I am presuming I can run it manually as it's outside the web monitoring scope of Sophos and treated as a normal file access, which the file level AV module has no issue with.

     

     

     

     

  • In reply to IT Manager:

    Hello IT Manager,

    dunno what WC (or WP) apparently quietly does here - guess you'll need help from Support.

    Christian

  • In reply to QC:

    Hi Christian,

    Just to advise that I'm seeing the exact same issue in our organisation.

     

    To be specific, I'm logging into a webpage without issue, and am presented with a 'connect' button, which when used attempts to install/run Checkpoint SSL Network Extender. This will fail after only a few seconds.

    If I then stop the Sophos Web Filter service, the connection-attempt works without issue.

    Also, If I leave that Sophos Web Filter service alone (running), but go to the TEMP folder (in my case, c:\users\<myname>\AppData\Local\Temp\Low), run (double-click) STAProxy.exe and then click 'connect' - it also works without issue.

    Like IT Manager, I am also seeing no errors in the logs. We do not have the Web Control enabled in the Sophos Console - the default policy is present, but not enabled - so it looks like this is a bug - I say 'looks like' as I'm not certain I'm understanding what's happening here. I would expect to see a log entry for the failed attempt, but there is nothing. I have similarly been through section of the Windows Event viewer, and can see nothing relevant.

    Do you know about this issue and have a fix/workaround? We can probably script something to prevent having to manually intervene, but it would be preferrable if there was a fix that you can provide?

     

    Thank you in advance!

    Rich

  • In reply to theBaldycElt:

    Hello Rich,

    wondered why I got a notification regarding checkpoint SSL extender, couldn't remember I had answered on this thread :).

    I'm afraid, I don't know more than what is in this thread - I'm neither Sophos nor using the extender.
    Apart from the suggestion to give Process Monitor a try the only other ideas I have are:

    1. enable tracing for the Windows Filtering Platform (WFP)
    2. enable tracing for SWI/SWF

    If there's no obvious anomaly you'd have to open a case with Support.

    Christian

  • In reply to theBaldycElt:

    Hi Rich,

    It's possible that the application is looping back web traffic to itself and doesn't expect a delay (which Sophos Web Protection introduces by scanning)  This would lead to no errors in Sophos logs if it is scanning and not blocking anything.

    The suggestion to exclude localhost can be done in the Anti-Virus and HIPS policy under Authorization > Websites > Add > IP Address: 127.0.0.1.  Sophos cannot create exclusions via ports.

  • In reply to MEric:

    Hi MEric - thank you very kindly - that has done the trick!

    There is a tiny concern in my tinier mind that by excluding local host in this way, we are introducing some risk.....can you comment on that? I hate to seem ungrateful (I am NOT!!) - just my limited understanding of what's happening inspires the question/uncertainty.....

     

    Thanks again,

    Rich

  • In reply to theBaldycElt:

    By creating this exclusion you are excluding all HTTP traffic originating from localhost from being scanned.  I do not see this as a risk as in order for HTTP traffic to be looped back to the local machine, a file/process must be running locally on the machine to create that traffic.  The file/processes are not covered by this loopback exclusion and will continue to be scanned/blocked if deemed malicious.