This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SWI_FC.EXE Slowing Down Google Drive via Chrome

SWI_FC.EXE is slowing down Google Drive uploads via Chrome to an unacceptable degree.

We need to disable SWI_FC.EXE on 3 specific computers.  Is there a way to disable the relevant policies for a specific computer group?  If so, how?

From what I've seen, the relevant policies are tied to users, not computers, so this can't actually be done.

Thanks.



This thread was automatically locked due to age.
Parents
  • I have a computer policy that disables:

    Scan downloads in progress
    Block access to malicious websites

    I now have a user policy that has the top level Web Control turned on ("Enforce the settings in this section of the policy"), but has every feature turned off ("Additional security options", "Acceptable web usage", "Protect against data loss", "Log web control events", "Control sites tagged in Website Management", "Apply this web control policy at set times only").

    The policies are applied to the relevant computers/users.  SWI_FC.EXE is still showing up, taxing the CPU, and slowing down our uploads.

    Do I need to turn "Web Control" off at the top level (so it says "Ignore the settings in this section of the policy")?  Wouldn't this mean the policy below it (our base policy, which has some features enabled) applies?

     

    If I turn tamper protection off, turn off everything I can locally, restart, then upload via Google Drive, SWI_FC.EXE doesn't interfere.  But I can only do that for 4 hours at a time, and it's a huge hassle.

    If I simple end task on the SWI_FC.EXE process, that seems to have the same effect.  I assume that it will come back on its own (since tamper protection is on) at some point, however.  It'll also come back on its own after every restart.

  • Hello  

    If turning off "Web Control" from the Endpoint UI appears to resolve the CPU, it's likely that Web Protection is interfering with the Google Drive operations in Chrome. You can try adding a scanning exclusion in your Threat Protection policy (with Exclusion Type: Website) for Google Drive domains and IP and see if that helps.

    If this does not resolve and/or further investivation is needed, please open a support case.

  • These are the policies I'm using for the computers (and now users) that need to upload large files to Google Drive.

    My goal is to completely disable SWI_FC.EXE, not grant Google Drive an exception.  As far as I can tell, all web scanning/interference should be disabled based on these policies.  But that's not the case.

    If there are other settings or other policies I need to change in order to completely disable SWI_FC.EXE or whatever it's doing, please let me know.

     

    As a further example, SWI_FC.EXE causes 50% CPU utilization and reduced speeds when running a speedtest at speedtest.net.  This is on a Ryzen 2400G, with 8 cores and 16 threads.

  • To disable the local web proxy (swi_fc.exe) you have to disable:

    • Web control policy
      • Disable Web Control
    • Threat Protection policy
      • Scan downloads in progress
      • Block access to malicious websites

    Disabling these 3 features will mean that the browsers no longer proxy traffic via swi_fc.exe.

    If you leave just one of the above 3 features enabled then traffic goes through swi_fc.exe unless a particular site is excluded by IP in the Threat Protection exclusion policy or the global exclusion policy as a website exclusion.

     

    Regards,

    Jak

     

     

  • Thanks for the reply, but shouldn't the settings I have above work for disabling those 3 things?

    The only other thing I can do is turn off the topmost control for "Web Control", but as far as I can tell that means it will just default to the settings in the base policy (where it's on).

  • I would suggest:

    "Enable realtime scanning" (that is one of the main defenses) and not related to web protection in Central if the web protection specific options are turned off.  In on-premise the default of web protection is, same as on-access but it can be turned of independently also. 

    You can leave download reputation enabled, this is probably even more important if you disable web protection.

    Detect network traffic to command and control servers can be enabled, this doesn't use swi_fc.exe and should be ok to alert to non browser processes making connections to known bad addresses.

    Also enable HIPS (runtime detection), this is unreleated to web protection/control features.

    I can only think that you need to disable web control, such that when the client gets the policy:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Web Intelligence\Web Control
    enabled = 0 rather than 1 which I assume it still is.

    In the client UI, when you're on the settings page (tamper off or admin login) you can see that web control is off as well but the above key is good enough.

    Regards,

    Jak

     

Reply
  • I would suggest:

    "Enable realtime scanning" (that is one of the main defenses) and not related to web protection in Central if the web protection specific options are turned off.  In on-premise the default of web protection is, same as on-access but it can be turned of independently also. 

    You can leave download reputation enabled, this is probably even more important if you disable web protection.

    Detect network traffic to command and control servers can be enabled, this doesn't use swi_fc.exe and should be ok to alert to non browser processes making connections to known bad addresses.

    Also enable HIPS (runtime detection), this is unreleated to web protection/control features.

    I can only think that you need to disable web control, such that when the client gets the policy:
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Web Intelligence\Web Control
    enabled = 0 rather than 1 which I assume it still is.

    In the client UI, when you're on the settings page (tamper off or admin login) you can see that web control is off as well but the above key is good enough.

    Regards,

    Jak

     

Children
No Data