This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Random Port Exhaustion on Sophos Endpoint Security and Control clients version 10.6.3 and 10.6.4 on Windows 10 Enterprise workstations.

Hi All, 

Good morning! I have deployed on my environment several Windows 10 Enterprise Edition with the Sophos Endpoint Security and Control Security 10.6.3 and 10.6.4 versions installed and I'm facing randomly that suddenly the users are not able to browse the internet. Doing some troubleshooting and i found that I have from the Windows Logs several events 4227 and 4231, doing some monitoring(NETSTAT -anoq -p tcp) about the ports utilization i found that this file C:\Program Files (x86)\Common Files\Sophos\Web Intelligence\swi_fc.exe, is opening several ephemeral ports connections.

The only solution that we found so far is to have so far is to restart the machines, but the users are not quite happy.

Based on this, there's something else that I can do? 

Really appreciate your help and comments, 



This thread was automatically locked due to age.
Parents
  • I am having the exact same issue as described here, i have found a work around of disabling the web intelligence and web filter services. When the issue occurs i can simply stop these services and kill the process to prevent needing to reboot. 

    I am having this issue on server 2016 RDS Session Hosts.

  • What version of SAV do you have installed?

    10.8.3?
    10.8.4?

    or something else?

    Regards,

    Jak

  • Hi Jak,

     

    I am John. I have taken over this issue from Michael. We have SAV 10.8.2.

     

    Is there a new swi_fc.exe available that can resolve this port exhaustion issue?

     

    If not, disabling the Web Filter service is the current effective workaround. However, it seems to re-enable and start itsef possibly after a Sophos uodate etc. Not really sure why.

    Hence, is there a way not to deploy the Web Filter service altogether? It appears to be part of the Anti-Virus package and not a separate application we could exclude from deployment. I also could not find any MSI switches that could be applied to the ClientPackage.msi application to not istall the Web Filter this way as well.

    I beleive whenever the Sophos Managemnt Service deploys updates to the servers, it re-enables and re-starts the disable Web Filter service - this is not desirable.

     

    Regards,

    John

  • Hello John,

    not a long-term solution but if you disable Web Protection (in Central Realtime scanning (Internet)) and Web Control swi_fc.exe shouldn't interfere.

    Christian

  • Christian is right, the issue which is now fixed as I understand it is to do with swi_fc.exe (the local web proxy) making outbound connections to addresses that aren't avialable so if you disable:

    Web Control in the linked policy

    AND

    The 2 Web Protection features:

    • Block Access To malicious Websites
    • Content Scanning

    https://community.sophos.com/kb/en-us/123446

    Then browsers do not send traffic to swi_fc.exe so the issue can't occur.

    Regards,
    Jak

Reply
  • Christian is right, the issue which is now fixed as I understand it is to do with swi_fc.exe (the local web proxy) making outbound connections to addresses that aren't avialable so if you disable:

    Web Control in the linked policy

    AND

    The 2 Web Protection features:

    • Block Access To malicious Websites
    • Content Scanning

    https://community.sophos.com/kb/en-us/123446

    Then browsers do not send traffic to swi_fc.exe so the issue can't occur.

    Regards,
    Jak

Children
  • I've seen this issue happening in Windows Server 2016 as well. A Technical Support person suggested that the loopback address (127.0.0.1) is blocked in the Web Control Policy (under Website Exceptions)

    This seems to have worked - we did not observe any TCP port exhaustion issues in the last few days. So in my case I needn't block Web Protection features in the AV & HIPS policy. Might worth trying as an alternative.