Sophos Endpoint: How Sophos Web Interception works and Guidance when Running Speed Tests

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Hi Community,

This is an overview of how Sophos Web Interception works, with a specific focus on speed testing performance and the potential areas where issues may occur.

How Sophos Web Interception works

Sophos Web Protection / Web Control only applies to the following Browsers (as of Jan 14, 2020):

  • Internet Explorer
  • Edge
  • Chrome
  • Firefox
  • Opera
  • Safari

Note: Other browsers are not intercepted. Should you wish to control these, Application Control would be the best solution.

This overview applies to Windows, Windows Server, and MacOS systems, as they all operate with the same workflow - just with different interception mechanisms (see step #3).

Sophos Web Interception Workflow

When a browser is used, the following workflow applies. Caveats for each step will be provided at the bottom:

  1. URL is accessed
    • Clicked by user,
    • Page accesses resources 
  2. Web browser makes call to O/S to access the network 
  3. Windows Filtering Protocol (WFP) (Windows 8+/Server 2012+), or Layered Service Provider (LSP) (Windows XP-7, Server 2003-2011), or Kernel Extension (KEXT) (MacOS) intercepts the browser traffic and sends it to localhost (127.0.0.1) 
  4. The Sophos Web Intelligence Service is listening on localhost for this traffic, and grabs it 
  5. The request is paused, and the HTTP GET request is parsed for the URI.
    • For HTTPS, we use Server Name Indication (SNI) to get the base URI
  6. Exclusions for web sites are checked and matches allowed through without further processing (see Step 13
  7. Web Intelligence performs an SXL Lookup (v3.1) to retrieve reputation and category information. Lookup responses are cached for 5 minutes 
  8. Web Control (if enabled), checks the category information and Web Control rules for any matches 
  9. If the reputation is bad, or Web Control flags to block, the connection is blocked, and an HTTP block page is returned to the browser (HTTP only), popup is used for HTTPS. 
  10. HTTPS connections are now allowed through without any further processing. 
  11. HTTP traffic is now allowed to flow out and retrieve the requested resources. 
  12. All files/pages returned by the site get passed through the Sophos AV Scanner for viruses and file reputation (if enabled). Only on clean scan results are they allowed back to the browser. 
    Note: Streaming resources the first 2MB are scanned before the rest of the stream is allowed. Some types of streams are exempt from this scanning, such as streaming radio
  13. Traffic continues to flow using the above flow until the site/browser is closed. Every page/file is submitted to this process
    • Except for HTTPS steams, where only new connections to other URIs are checked).

Workflow #3

Workflow #5

Workflow #7

  • SXL Queries (more info - KB 117963) are expected to take less than 100ms - most often, much less.
    • There are SXL Servers around the globe to ensure fast regional responses.
  • HTTP SXL3.1 is preferred, however if HTTP is unavailable, DNS SXL 3.1 will be used as a fallback. 

Workflow #8

  • The Web Control information is returned in the same response as the reputation, so there is no additional network overhead, only the (very fast) checking of the rules. 

Workflow #10

  • This only applies to Sophos’ scanning on the Endpoint. Other network devices may still scan the traffic.

Running speed tests on a Sophos Endpoint protected machine

Internet speed tests can often report different than expected values due to how Sophos Web Interception works.

Speed tests use scripting to time the download of files. This download is around the entire workflow. They then divide the file sizes by the time to get the “speed”. Often, speed tests use several files of differing sizes to test, to allow for testing of faster connections.

In order to reduce the possible overhead, it is recommended on Windows to use a command line check, such as what can be found at https://www.speedtest.net/apps/cli.

  • When run via command line, it runs without Web Protection Interception.
  • If renamed to chrome.exe, then run, it will be intercepted.
    • This is a directly comparable result; and avoids any issues with browser add-ins or scripting.   

The time to perform the SXL lookup and scanning of the downloaded file, add to file overhead - which result in speed values that may be lower than expected. SXL overhead remains the same no matter what the size of file, where scanning will take longer on larger files. 

Note: It is recommended that when testing, no other web interception software is running (such as a VPN, or DLP software) to ensure it is only the Sophos Web Protection that is being checked.

Thanks,

 


 Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your feedback! community.sophos.com/.../user-assistance-feedback