Web protection is no longer functional. The filtering driver has been bypassed or unloaded [0xa058000c] Windows 10 1703

I have an open ticket with Sophos about this issue popping up on about 17 machines that were just recently updated to Windows 10 1703 from Windows 10 1607. Tried the following KB 114350 with Zero luck in getting this resolved. I have tried Uninstalling and Reinstalling both manually on the console, and through the "Protect Computers" option within the Enterprise Console.  Even created a Group with the recommended policies as suggested within the KB article with no luck on that either. going to http://sophostest.com/malware/index.html to test and verify the machines are protected results in the website not being blocked. Looking for any ideas that might help resolve this issue once in for all. 

 

Thank you,

 

Jamie

  • I understand pretty well what's going on with the check. Maybe this information will help.

    On Windows 10 at least, the Sophos Web Intelligence service (swi_service.exe) kicks off a check every hour to ensure that the web protection/control feature is working.

    It also kicks off the check 5 minutes after the swi_service.exe process starts as long as the OS hasn't recently been started I think.

    In any case the swi_service.exe process launches:

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag.exe"

    and, if you're running 64-bit Windows it also launches:

    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_lspdiag_64.exe"

    You can see this going on if you launch Process Monitor. Restart the Sophos Web Intelligence service and wait 5 minutes.

    For the check to succeed, these processes both need to return 0 to swi_service.exe. You can see the exit code of the processes in Process Monitor or call them from a batch file and look at the:

    %errorlevel%

    Of course, waiting 1 hour to troubleshoot is a bit awkward, so you can just manually run the 2 processes mentioned above in an administrative command prompt.

    The processes mentioned are treated as a browser by the feature in that they should, when run connect to the swi_fc.exe process (this is the proxy process the browser connects to that does the filtering) on it's listening port. The check is deemed successful if the process is returned the "SWI ACK" message.

    If you run an application that can sniff loopback traffic, such as rawcap.exe, you can see when you run swi_lspdiag_64.exe or swi_lspdiag.exe a stream that contains the "SWI ACK" string.

    I would first check that the process swi_fc.exe is running.  I would also check using Process Explorer the port it is listening on. E.g. 12080.  I'd then run the diag utilities with RAWcap and see if I could see the SWI ACK message returned by swi_fc.exe

    If you run these in a simple loop from a batch file checking the errorlevel, do they return 0?

    Hopefully this gives you things to check.

    Regards,

    Jak