We'd love to hear about it! Click here to go to the product suggestion community
I have an open ticket with Sophos about this issue popping up on about 17 machines that were just recently updated to Windows 10 1703 from Windows 10 1607. Tried the following KB 114350 with Zero luck in getting this resolved. I have tried Uninstalling and Reinstalling both manually on the console, and through the "Protect Computers" option within the Enterprise Console. Even created a Group with the recommended policies as suggested within the KB article with no luck on that either. going to http://sophostest.com/malware/index.html to test and verify the machines are protected results in the website not being blocked. Looking for any ideas that might help resolve this issue once in for all.
I understand pretty well what's going on with the check. Maybe this information will help.
On Windows 10 at least, the Sophos Web Intelligence service (swi_service.exe) kicks off a check every hour to ensure that the web protection/control feature is working.
It also kicks off the check 5 minutes after the swi_service.exe process starts as long as the OS hasn't recently been started I think.
In any case the swi_service.exe process launches:
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe"
and, if you're running 64-bit Windows it also launches:
"C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag_64.exe"
You can see this going on if you launch Process Monitor. Restart the Sophos Web Intelligence service and wait 5 minutes.
For the check to succeed, these processes both need to return 0 to swi_service.exe. You can see the exit code of the processes in Process Monitor or call them from a batch file and look at the:
Of course, waiting 1 hour to troubleshoot is a bit awkward, so you can just manually run the 2 processes mentioned above in an administrative command prompt.
The processes mentioned are treated as a browser by the feature in that they should, when run connect to the swi_fc.exe process (this is the proxy process the browser connects to that does the filtering) on it's listening port. The check is deemed successful if the process is returned the "SWI ACK" message.
If you run an application that can sniff loopback traffic, such as rawcap.exe, you can see when you run swi_lspdiag_64.exe or swi_lspdiag.exe a stream that contains the "SWI ACK" string.
I would first check that the process swi_fc.exe is running. I would also check using Process Explorer the port it is listening on. E.g. 12080. I'd then run the diag utilities with RAWcap and see if I could see the SWI ACK message returned by swi_fc.exe
If you run these in a simple loop from a batch file checking the errorlevel, do they return 0?
Hopefully this gives you things to check.
In reply to jak:
Our enterprise is suffering from the same issue that Jamie described, we also tried to fix the issue, following the KB114350 article with no avail. Has there been any update on a fix to this issue? We currently have 22 machines giving this problem.
In reply to IT Support61:
Out if interest, do you know if the users of these computers seeing the issue are using Edge or Edge more than a user/computer that doesn't use Edge?
Jak, the issue was tackled because the # of Computers with the "Web Protection..." Error for our end-users increased in a short span of time, and was noticed from the SEC Console Dashboard. In any case, I verified with the users and I can confirm SOME of the machines are indeed using Edge. I tested these machines when testing the URL sophostest.com/malware/index.html using Chrome did Block Successfully the page.
We are seeing the same problem. The error is occurring on builds 1703 and 1709 of Windows 10 for us. The users that are experiencing the error are not getting blocked for the test site above. I have tested on multiple browsers (Edge, IE, Chrome, Firefox) and the result is the same. We are not seeing this issue on older versions of Windows 10. Does Sophos have any updates on this issue? We are planning an OS update to 1709 and this issue is preventing us from upgrading.
In reply to jfktech:
Email from Sophos Support Staff -
We have been rolling out version 10.7.6 to the Preview subscription line, which contains the fix for this issue. Not all customers have it yet, so I suggest you open your subscriptions in SEC, select "Preview" for Windows Endpoint, and click Details... If the version stated is 10.7.6, you can upgrade to this version, which contains the fix. It will likely take a bit longer before it goes to the Recommended line, but the software is fully complete. We just use the Preview line so customers have a chance to test in their environments before full deployment.
NEXT Email -
just clarified with my Global escalations team. We had to put a hold on the release of this build to preview for right now. The reason is due to some interactions we have with Citrix and we are working on resolving that issue. I don't have an ETA yet but I am working on finding that out.
There is a fix in the works but currently it has not been released as of yet. Sophos is aware of the issue and hopefully they can come up with a fix ASAP. They can identify potential virus issues but can't fix something that has been going on for months ??!
In reply to Jamie Ojida:
Thanks for the info!
Oh good Thanks for the info.
I've got 403 endpoints flagging this and there is no way the troubleshooting steps suggested could be done practically on all those endpoints as many of them are laptops and tablets.
I look forward to the fix being released.
Any updates on this issue or patch? I've found very similar behavior with Windows 10 PCs in our environment.
Some Windows 10 systems, but not all, are reporting "Web Protection is no longer functional..." in the Enterprise Console.
We've tried the various fixes - re protect; modify policies, apply, reboot, re modify, apply, reboot with no changes.
On one test system - running Win10 Enterprise 10.0.15063, Sophos Endpoint Security & Control ver. 10.7 - Web protection appears to be working in Chrome but not in Edge. However, this system does not show any errors in the Enterprise Console.
In reply to John Comes:
What version are you running? Are you running Recommended or Preview?
Sophos Endpoint Security & Control ver. 10.7
Enterprise Console ver 5.5.0
Reimaged system. It is now at Win 10 Enterprise, Version 10.0.16299 Build 16299
SophosTest Malware site is blocked in Chrome and Firefox. It is not block in Edge. In IE 11, it blocked on first visit, but refreshing the page results in view the test site that is classified as Malware.
Also experiencing this issue across many machines.
Windows 10 pro 1709
Endpoint version: 10.7
Web control version: 1.5.1539
Firefox, Chrome block appropriately. IE11, blocks sometimes. Edge does not block at all.
In reply to AHIT:
Are you using Recommended or Preview? Are they running 10.7.2 or 10.7.6?
From the Troubleshooting that i have preformed with Sophos the following recommended settings were suggested to resolve the Web Protection issue.
Select Update Managers from the Enterprise Console and view your Software Subscriptions ( Bottom Left ) Create a Preview Subscription by hitting the add button and selecting the Preview "Early Release" which will push the following Antivirus Update : Sophos Anti-Virus Version 10.7.6 V3.70.2 This is the version that has the Patch "Fix" for the Web Protection issue.
It was stated that sometime in late January that this version will be released to the Recommended Ring and at that point you can revert back all Clients to Recommended rather than Preview.
I can provide more details on how to set this up with screenshots if anyone needs help.