This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint causing 1000s of Audit Failures in Event Viewer

I've seen some reports, so I decided to take a look myself.

I noticed having lots of Audit Failures in Event Viewer. Some troubleshooting later, I found out following is happening:

Default state of the Audit Policy "Filtering Platform Packet Drop" is No Auditing. After installation of Sophos Server Protection (Core Agent, A/V, Intercept X), I saw it change to "Failure", and logs starts to appear. Setting back to No Auditing, solves the "problem".

While I do get what this Policy does, I wonder why Sophos is changing the auditing of default windows firewall?

Thanks



This thread was automatically locked due to age.
Parents
  • Hello  

    To report connection firewall-blocked applications, Sophos uses the local profile configuration set on the computer.

    When installing the Endpoint Firewall component, Sophos attempts to set the audit policy to enable Windows Firewall application block events. This means when the Windows Firewall blocks an application because it violates one of the Firewall rules, an entry is added to the Windows Security log. If the audit policy is already being managed by Windows Group Policy and is disabled, blocked application events will not be sent to Sophos Central.

    The configuration change made is equivalent to:

    auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable

    On uninstall of the Sophos endpoint software, this setting is left in place, thus leaving the auditing turned on. It can be disabled by an admin locally or via Windows Group Policy if required at a later time.

    If the audit setting is overridden by an admin whilst the Endpoint Firewall component is enabled, this will prevent blocked-applications raising entries in the Windows Security log and application blocked messages will not be sent to Sophos Central.

    For further information from Microsoft on using this configuration, see Enabling Audit Events for Windows Firewall with Advanced Security.

Reply
  • Hello  

    To report connection firewall-blocked applications, Sophos uses the local profile configuration set on the computer.

    When installing the Endpoint Firewall component, Sophos attempts to set the audit policy to enable Windows Firewall application block events. This means when the Windows Firewall blocks an application because it violates one of the Firewall rules, an entry is added to the Windows Security log. If the audit policy is already being managed by Windows Group Policy and is disabled, blocked application events will not be sent to Sophos Central.

    The configuration change made is equivalent to:

    auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable

    On uninstall of the Sophos endpoint software, this setting is left in place, thus leaving the auditing turned on. It can be disabled by an admin locally or via Windows Group Policy if required at a later time.

    If the audit setting is overridden by an admin whilst the Endpoint Firewall component is enabled, this will prevent blocked-applications raising entries in the Windows Security log and application blocked messages will not be sent to Sophos Central.

    For further information from Microsoft on using this configuration, see Enabling Audit Events for Windows Firewall with Advanced Security.

Children
  • Hi ,  

     

    Reading through this I am still not the wise what Sophos is actually using this for.

     

    To set the context we have a customer with an environment around of 200 systems logging around 40,000 of these 5152 per 5 minutes each (and they are VDI machines so are basically running 24x7)! Now I would dearly love to stop the source of these alerts but can't at source, 95% of the machines are running Sage 50 Accounts which for some support tool discovery process issues broadcast packets to the local subnet about twice per second on two UDP ports for two different version of the data service, there might be more if I knew what obscure ports I was looking at, from what we can see it isn't even needed for the production feature, just a support tool that the client side only opens the "listening" side when you launch the support tool... although I am not convinced that wouldn't generate more failure audit events if I did it through Windows firewall either on the source or destination machines!

     

    Now I know how to disable this using auditpol but am unclear what the impact of doing so would be... yes I know that the events will no longer be logged and thus Sophos won't have visibility of these block events - but then I have no idea what you are doing with them, where they are being fed to etc and if it is remotely important and what in reality is going to happen if this is disabled? I have looked at Central and I can't see where these events are being logged... certainly I can't see 2.304 billion events being listed so I am not sure where they are supposedly ending up!

     

    Cheers

    Chris