Endpoint Protection - Policies - Web Control - Does NOT stop EXE downloads if HTTPS

Endpoint Protection - Policies - Web Control - Does NOT stop EXE downloads if HTTPS

Sophos has just made me aware there there "Endpoint Protect web filter DOES NOT WORK on httpS" so people can download what ever they want if its httpS..

Is everyone aware of this ??? 

  • Hi Ian,

    Could please provide more information regarding the Sophos products/environment that you are using, as well as the actions that are taking place (and not working) ?

    Here's the Web Control Article which includes HTTPS scenarios:
    Sophos Central: Web Control Frequently Asked Questions 

    Here are the policy options 

    I
    f you are referring to DLP, we do have an article listing its limitations:  Known limitations with data control

    Also, if you have a ticket number, please DM it to me so that I can follow-up.

    Regards,

  • In reply to Barb@Sophos:

    Hi,

    We are using Sophos Cloud - Endpoint protection, I have a support ticket which confirms Web control DOES NOT WORK on httpS

    RE: [#8191978] Sophos Central Admin Support Request

    Sorry for the delay, i have gone to my L2 team with those logs and we've identified the root cause of this issue now. 

    Basically the reason this isn't working is because the site / sites used to download are HTTPS. If you get that user to try to download from this link for example (http://www.winzip.com/win/en/downwz.html)
    the Download is on HTTP and the policy should apply correctly. Can you please get the end user to test this or something similar to confirm?

    The reason this happens is because we cannot monitor the HTTPS traffic with Web Control.

    I suspect other customers are not aware of the major flaw in the Web control feature, nowhere on the portal does it state “Web filtering does not work on HTTPs sites”, and there are no documentation that I can find with reasonable effort that states this.

    Ian

     

  • In reply to Ian Harris:

    Hi,

    The proxy on the client doesn't man-in-the-middle HTTPS. Some might say this is a good thing as it is a risk to do it.  The local proxy sits in front of the browser (or in the browser process on Windows 7/2008) like any other web proxy.

    It can perform classification of HTTPS sites through SXL look-ups so can block malicious sites but it doesn't have the ability to scan the content of HTTPS. 

    This means the content scanning feature will not see the content which is not totally the end of the world as:
    1. The site could be classified as malicious, in which case the site would be blocked before the file was downloaded.
    2. If download reputation is on, then a lookup to see the reputation of the file would be performed post download.
    3. If a malicious file is downloaded then the on-access scanner would detect it as it's written to the cache.

    The downside I can see is that file type classification in Web control cannot work, to say, that file is an exe, that is a DLL, etc..

    I suppose if you want HTTPS scanning, you need to do it on the XG or UTM.

    Regards,
    Jak

  • In reply to jak:

    Hi Ian,

    Thank you for the clarification. It looks like your ticket has been properly escalated (please feel free to DM me if you have any specific questions regarding it).

    As for your report regarding HTTPS downloads, I will reach out to our KB writers so that they can review the current documentation and make any necessary updates.

    Regards,

  • In reply to Barb@Sophos:

    Update:

    We are still working internally to consolidate/update the KB articles in order for this information to become clearer.  

    Adding to what jak already covered:

    Web Control will work over https, however you will need to block the root website. So, if you were to block www.SomeWebsite.com , then pages from that site (both http and https) will be blocked.
    There is another KB article (still needs to be updated) that further explains how URI Security checks on HTTPS requests with Sophos Web Protection work.

    Hope this helps. I will update this thread once the articles have been reviewed/updated as needed. 

    Regards,

  • In reply to Barb@Sophos:

    We wanted to stop streaming media to block people watching the world cup. I added the URL to the BBC iPlayer and Sophos still allowed it through. Are you saying that we need to block entire access to bbc.co.uk as the root just to block the iplayer url? What about legitimate BBC sites like weather and news?

    Almost every website has now converted to HTTPS due to Googles new security rules. This is ging to cause major problems surely and render the Web Control element virtually useless.

    Regards

    Jeff

  • In reply to Jeff Usher:

    I suspect you will need to block other domains.  I've just tested opening iplayer in Chrome with the Developer Tools open and captured the domains used.  The following have appeared when playing:

    Media:
    emp.bbci.co.uk


    XHR:
    vs-dash-uk-live.akamaized.net

    JS:
    fig.bbc.co.uk
    idcta.api.bbc.co.uk
    etc...

    You could try considering bbci.co.uk as well and other domains the services loads resources from.

    Regards,

    Jak

  • In reply to jak:

    Thanks Jak,

    But surely if I block the page: https://www.bbc.co.uk/iplayer they should not even get to the point of actually playing a video which is what I'm trying to acheive.

    Jeff

  • In reply to Jeff Usher:

    Thinking about it a little more, I don't think you could block a URL if it's HTTPS.  All Sophos Web Control at the client can see for HTTPS is the domain/sub-domain name which it gets from the SSL handshake SNI record - en.wikipedia.org/.../Server_Name_Indication. 

    As a result, you'd have to block bbc.co.uk which would be "too much".  Maybe try blocking emp.bbci.co.uk and some of the domains/sub-domains that only iPlayer uses if you can?

    To be honest, for HTTPS you probably need to use an appliance that can do man-in-the-middle SSL inspection such as the XG or UTM but maybe the above info could allow something.

    Regards,
    Jak

  • In reply to jak:

    Documentation has been updated to better explain https limitations:

    Why are some files blocked based on the Additional security options settings and others are allowed
    Under the Additional security options of the web control policy it is possible to control access to individual file types. For example, the customer can block executable files. These checks are also subject to SXL lookups to see if they are from a trusted source. For example, an executable file from Microsoft or Apple is not subject to the same checks as that from a unknown source.

    Note: The security options on risky file types, which is one of the functions of the web control, currently does not work on HTTPS websites. Alternatively, you can block the root domain of the website or the website's category from where the file is being downloaded.

     

    Regards,

  • In reply to Barb@Sophos:

    Only way to achieve blocking file types from https is to do SSL Decryption from the firewall.