This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Central kills Dymo Label Printers using AthenaNet device manager

Has anyone run into this before?  Sophos central is killing Dymo Label Printers using AthenaNet device manager.  None of our registration PCs have been able to print labels for almost 2 weeks now.  I have an open ticket but no resolution has been found yet.  Disabling the "Sophos Web Filter Service" allows the printers to work.  When the service is enabled no blocked website events are showing up on the client or on the Central console.  We were halfway through a conversion from Enterprise console to central and we are at a standstill until we get this resolved.  Can anyone help?  Thanks.  



This thread was automatically locked due to age.
  • Are you able to allow the website through as an exclusion?

  • Hi  

    I am really sorry that you are facing this issue with the Central Endpoint. I see that you have already isolated the Sophos component causing the issue, I would request you to raise a case with our support to look into this. Also, I would request you to collect SDU log from the specific client computer along with the Memory dump of the process.

    Please follow the below steps to collect the memory Dump or you can contact our support who will help you with it.

    1. Create the directory C:\dumps\
    2. Download Procdump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump and save it to C:\dumps\
    3. Run in an admin prompt:
    procdump -ma -i C:\dumps
    4. Recreate the issue and you should have dump file create in C:\dumps\
    5. Run:
    procdump -u
    to unregister Procdump as the post-mortem debugger.

    You can PM the case number so that I can follow up with the case internally. 

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • The Sophos Web Filter service launches swi_fc.exe which procies web traffic from browsers.  If stopping this helps, it suggests that whatever the software does comes from a browser process?

    If you make an IP exclusion for the address that is being connected to by the browser, then the connection is not proxied so that should always work.

    You have to do this in the threat protection policy or using the global exclusions.  For example, add a "website" exclusion here:
    https://cloud.sophos.com/manage/config/settings/scanning-exclusions

    For the IP of the printers if they have an IP?

    or maybe add 127.0.0.1 if the browser connects to a local process over loopback and that is failing?

    Regards,

    Jak

  • Thank you for replying Gowtham.  As stated previously, I already opened a case with support nearly 2 weeks ago and they have not been able to resolve this yet.  We did a remote session and they ran the diagnostic tool and collected logs.  I also sent them the AthenaNet device manager executable, which they sent to Sophos Labs for analysis which didn't help. 

    I downloaded procdump, saved it to c:\dumps, then ran the instructed command as admin then recreated the problem but it did not create any logfile in c:\dumps.  Did I miss something?

    Thanks!

  • Hi Jak,

    I appreciate the suggestions!  However, the first thing that Sophos support did during my remote session with them was exclude multiple variations of the website in global exclusions and the threat protection policy applied to the client PC.  Actually, I had already done this before contacting support.  Most of the Dymo label printers are connected via USB.  127.0.0.1 is already in the global exceptions list as well.  Is there something else I could try?  Thanks again!

  • Hi  

    Can you please PM the case number. let me check with the case and get back to you. 

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thank you Nick.  Adding the website as an exclusion to the threat protection policy and the global exclusions list didn't help though.  

  • Hi,

    I'm most curious as to why disabling this service: "Sophos Web Filter Service" ("C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter.exe") helps.

    With that service running, if you disable the 3 features that use the local web filter, which are:

    1. Web Control

    You can disable this feature for a test client, by creating a test Web Control policy for the computer.

    2. Scan downloads in progress

    This is content scanning of HTTP web traffic.

    3. Block access to malicious websites

    This is the lookups to classify sites.

    Features 2 and 3 are part of the "Threat Protection" policy, under the section: "Real-time Scanning - Internet".

    With these 3 features disabled, browsers do not redirect traffic to swi_fc.exe. 

    As you have that service, these computers must all be Windows 8.1 or later as Windows 7 computers don't have that service, the web proxy is loaded into the browser process by an LSP.

    So with those 3 features off, does the printer then work?

    If, so, I would web control first, does that break it again?
    If not, then maybe enable, "Block access to malicious websites".
    Finally Scan downloads in progress.


    Regards,

    Jak

  • Thank you Jak, your info helped narrow the problem down.  In the "Threat Protection" Policy applied to the computer group, underneath the "Realtime Scanning - Internet" section, disabling BOTH "Scan downloads in progress" and "Block access to malicious websites" allows the label printers to function normally.  If I enable either one (or both), they will not work--they show up as "not running" on the Athena webpage that allows you to manage devices.

    I have created a Threat Protection policy for the afflicted workstations with these security features disabled ("Scan downloads in progress" and "block access to malicious websites").  This will work as a temporary fix, but leaves the workstations vulnerable to some extent.  Now the question is, how do I create an exemption that allows the printer to function without disabling "Scan downloads in progress" and "block access to malicious websites"?

    Thanks again!

     

           

  • What OS are these computers?

    Thanks.