Web Protection issues after latest Windows 10 updates

Hi,

 

Following on from the latest round of Windows updates last week, I found web browsing really laggy. After checking/changing/troubeshooting network configs to no avail, I decided to see if Sophos was the cause. Long story short, I have narrowed this down to the Web Protection Content Scanning setting - if I turn this off, everything works nicely, set it to "As on-access scanning" and I get issues on all browser (my primary ones are Chrome and Firefox latest versions).

 

An example of a web page that won't doesn't load properly:

 

With the content scanning on, the page appears to load, but clicking on the video simply displays a spinner. Turn conent scanning off, reload page, click play and the video plays.

 

Other pages simply don't complete loading, so either do not display, or the web browser continues trying to load the remaining components in the background (for what seems like forever). Another example:

  • Go to www.bowers-wilkins.co.uk
  • Hover over Headphones, and click on one of the models of headphone
  • Page loads so you can see content, but Firefox sits there still trying to load something. Sometimes the page works okay, others you click on one of the links under the headphone picture (e.g. Engineering) and it doesn't work
  • Turn off content scanning and everything works fine

And here's a site I can't get to display at all unless I turn off conent scanning (or keep stopping/reloading until I get some content):

http://www.thebooksage.com/

From what I can tell from Firefox debug, the issue on that site is with image files (e.g. logo.png never loads).

 

Any ideas? And what are we risking turning off the content scanning option, albeit leaving the rest of Web control enabled?

 

Sophos version: 10.6.4.1150

Windows 10 version: 1607 build 14393.953

  • Okay, this is now fixed by doing the following:

    • Uninstall Sophos Anti-Virus, Sophos AutoUpdate and Sophos System Protection
    • Reboot
    • Install Sophos Endpoint Protection standalone v10.6 (escw_106_sa_sfx.exe)
      • Note: This issue was on a standalone machine, not one managed by Enterprise Console
    • Enter license details (Configure/Updating)
    • Right-click Sophos icon and choose "Update now"
    • Reboot

     

    Now I can keep the content scanning option set to On or As on-access scanning; all previous problem websites appear to work as expected now.

     

    Hope this helps someone else at some point.

  • Hi,

    I have Windows 10 (Version 10.0.15061) with SAV 10.7.1.32 (swi_fc.exe is 3.6.0.1397) and I don't really see the issues you mention.  Obviously it's not the same setup but the Web protection component wouldn't be much different if at all.  Is it still 3.6 in 10.6.4?

    http://www.thebooksage.com/ and the video at www.bbc.co.uk/.../39323706 both load OK for me in Chrome and FF.

    I followed the steps regarding www.bowers-wilkins.co.uk. If I visit this page in Chrome with the Developer Tools open with "Disable cache", click on the link for:

    www.bowers-wilkins.co.uk/.../P7.html
    the total download is 3.4MB and takes 11.31 seconds.

    Sorting by time columns I see a GET request to this URL just timeout after 30 seconds: getrockerbox.com/.../xyz.js

    Trying another URL:
    www.bowers-wilkins.co.uk/.../P5-Wireless.html
    This downloads 11.7MB and takes 22.50 seconds to fully load the page.

    Again the same xjz.js fails, other URLs of note are:
    dl.groovygecko.net/.../P5-Wireless.mp4 (4MB - 15.7 seconds)
    dl.groovygecko.net/.../P5-Wireless-Sound-Notes.mp4 (3.1MB - 15.7 seconds)

    Although these large media files are being downloaded they don't cause me any issues with the site and links appear to work.

    As for information on the endpoint proxy component, it performs three features:
    1. Web Control (if licensed/enabled) - This is your categorizations, where the swi_service process makes SXL look-ups to the cloud to classify sites by category, e.g. Gambling, Spam, Business, etc..

    2. Web Protection, which has 2 sub-features:
     2.1 Download scanning (locally buffered and scanned content)
     2.2 Malicious website lookups (again swi_service performing live lookups)

    You say, that disabling just Download scanning is enough for the sites to behave as normal?  This feature, essentially buffers up to 2MB of data to be classified and sent to the engine to be scanned.  The idea being that this feature would shield the browser from content that didn't need to be committed to disk to execute/cause harm. I suppose the main file types of interest are scrips such as JavaScript, VBScript and objects such as Java and Flash.

    If you open C:\ProgramData\Sophos\Sophos Anti-Virus\Config\factory.xml you can see the config for Web Content scanning.  i.e. the mimeTypeList and contentSizeLimit.  If you did change this for a test, you need to stop the SAVService, edit the file and start it again.  Of course it will be replaced on the next major SAV update.

    If you take the example of the test file Eicar.com.  If you visit this URL:

    http://www.eicar.org/download/eicar.com

    Web Protections - content scanning would scan eicar.com and classify it as a threat before the browser even gets to see it. Eicar.com would be buffered, sent to the engine which would classify it and the block page would be passed to Chrome.  No external look-ups would be required to detect this before the browser can see it.

    Without content scanning you are relying on the following to protect the browser/user:
    1. Web protection - malicious website look-ups to classify the hosting site/url/IP as malicious, such that you are prevented from accessing the site in the same way.
    2. On-access scanning preventing the file being written to disk.  This is still good for malicious downloads a user might end up running.  They are typically bigger than the 2MB buffer anyway but relying on on-access to pick it up doesn't prevent the more browser targeted attacks.

    Of course if you're using InterceptX then you get other browser protection through the exploit mitigation.

    Note: If you make exemptions for sites under the Authorization Manager using IP, then the connection isn't proxied at all.  This is typically fine for working around issues with internal web services hosted on one or two computers internally when the IPs are fixed.  Not so good for content coming from CDNs where the IPs could be changing every 5 minutes.

    Regards,
    Jak




  • In reply to jak:

    Jak,

     

    Problem fixed by full uninstall and reinstall. However, the extra info you have provided is also useful for future troubleshooting.

     

    Thanks.

     

    Jim