SWI_FC.EXE Slowing Down Google Drive via Chrome

SWI_FC.EXE is slowing down Google Drive uploads via Chrome to an unacceptable degree.

We need to disable SWI_FC.EXE on 3 specific computers.  Is there a way to disable the relevant policies for a specific computer group?  If so, how?

From what I've seen, the relevant policies are tied to users, not computers, so this can't actually be done.

Thanks.

  • I have a computer policy that disables:

    Scan downloads in progress
    Block access to malicious websites

    I now have a user policy that has the top level Web Control turned on ("Enforce the settings in this section of the policy"), but has every feature turned off ("Additional security options", "Acceptable web usage", "Protect against data loss", "Log web control events", "Control sites tagged in Website Management", "Apply this web control policy at set times only").

    The policies are applied to the relevant computers/users.  SWI_FC.EXE is still showing up, taxing the CPU, and slowing down our uploads.

    Do I need to turn "Web Control" off at the top level (so it says "Ignore the settings in this section of the policy")?  Wouldn't this mean the policy below it (our base policy, which has some features enabled) applies?

     

    If I turn tamper protection off, turn off everything I can locally, restart, then upload via Google Drive, SWI_FC.EXE doesn't interfere.  But I can only do that for 4 hours at a time, and it's a huge hassle.

    If I simple end task on the SWI_FC.EXE process, that seems to have the same effect.  I assume that it will come back on its own (since tamper protection is on) at some point, however.  It'll also come back on its own after every restart.

  • In reply to Brian Stewart:

    Hello  

    If turning off "Web Control" from the Endpoint UI appears to resolve the CPU, it's likely that Web Protection is interfering with the Google Drive operations in Chrome. You can try adding a scanning exclusion in your Threat Protection policy (with Exclusion Type: Website) for Google Drive domains and IP and see if that helps.

    If this does not resolve and/or further investivation is needed, please open a support case.

  • In reply to DianneY:

    These are the policies I'm using for the computers (and now users) that need to upload large files to Google Drive.

    My goal is to completely disable SWI_FC.EXE, not grant Google Drive an exception.  As far as I can tell, all web scanning/interference should be disabled based on these policies.  But that's not the case.

    If there are other settings or other policies I need to change in order to completely disable SWI_FC.EXE or whatever it's doing, please let me know.

     

    As a further example, SWI_FC.EXE causes 50% CPU utilization and reduced speeds when running a speedtest at speedtest.net.  This is on a Ryzen 2400G, with 8 cores and 16 threads.

  • In reply to Brian Stewart:

    To disable the local web proxy (swi_fc.exe) you have to disable:

    • Web control policy
      • Disable Web Control
    • Threat Protection policy
      • Scan downloads in progress
      • Block access to malicious websites

    Disabling these 3 features will mean that the browsers no longer proxy traffic via swi_fc.exe.

    If you leave just one of the above 3 features enabled then traffic goes through swi_fc.exe unless a particular site is excluded by IP in the Threat Protection exclusion policy or the global exclusion policy as a website exclusion.

     

    Regards,

    Jak

     

     

  • In reply to jak:

    Thanks for the reply, but shouldn't the settings I have above work for disabling those 3 things?

    The only other thing I can do is turn off the topmost control for "Web Control", but as far as I can tell that means it will just default to the settings in the base policy (where it's on).

  • In reply to Brian Stewart:

    I would suggest:

    "Enable realtime scanning" (that is one of the main defenses) and not related to web protection in Central if the web protection specific options are turned off.  In on-premise the default of web protection is, same as on-access but it can be turned of independently also. 

    You can leave download reputation enabled, this is probably even more important if you disable web protection.

    Detect network traffic to command and control servers can be enabled, this doesn't use swi_fc.exe and should be ok to alert to non browser processes making connections to known bad addresses.

    Also enable HIPS (runtime detection), this is unreleated to web protection/control features.

    I can only think that you need to disable web control, such that when the client gets the policy:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Web Intelligence\Web Control
    enabled = 0 rather than 1 which I assume it still is.

    In the client UI, when you're on the settings page (tamper off or admin login) you can see that web control is off as well but the above key is good enough.

    Regards,

    Jak

     

  • In reply to jak:

    jak

    To disable the local web proxy (swi_fc.exe) you have to disable:

    • Web control policy
      • Disable Web Control
    • Threat Protection policy
      • Scan downloads in progress
      • Block access to malicious websites

     

    I have "Scan downloads in progress" and "Block access to malicious websites" disabled.

    I have everything under Web Control turned off.  Web Control itself is turned on.  Do I need to turn "Web Control" off at the top level (so it says "Ignore the settings in this section of the policy")?  Wouldn't this mean the policy below it (our base policy, which has some features enabled) applies?

  • In reply to Brian Stewart:

    I have tested with the top level "Web Control" option enabled and everything below it disabled, alongside an exclusion for the drive.google.com and google.com domains.
    After waiting a while to allow policy to propagate, then rebooting the device, SWI_FC.EXE still interferes.

    I have also tested with the top level "Web Control" option disabled (and everything below it disabled), alongside an exclusion for the drive.google.com and google.com domains.
    After waiting a while to allow policy to propagate, then rebooting the device, SWI_FC.EXE still interferes.

    I checked the registry, and Web Control has Enabled = 0. I did not modify this value manually - this is what it was after the machine was rebooted.

    At this point, the only thing I can think of to get rid of this is to uninstall Sophos.