This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Protection generating 100s of Events

Since installing the Sophos Endpoint Agent on computers the Windows Event Security log is filling with over a hundred events per minute.  The Audit Failure is event is ID 5152: The Windows Filtering Platform has blocked a packet.  I've looked at https://docs.microsoft.com/en-us/windows/device-security/auditing/event-5152

A few things:

1. Why doesn't the Sophos agent show any events, errors, warnings, etc?

2. Microsoft is saying to monitor the source folders to see if bad things are happening.  This is in the XML and with the plethora of events almost impossible to review.

3. Even if I can ignore the events, they're still causing the logs to rollover every day or so

 

Is anyone else seeing this behavior?  What do I need to do to make this stop filling the event logs?  Is Sophos really blocking packets and not reporting it in the console or agent?

 

Thank  you.



This thread was automatically locked due to age.
  • Is this level of auditing on by default or have you enabled it through policy?

    I assume this stops it?

    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

    As for the Sophos features that operate at this layer, i.e. have a WFP filter driver, they are:

    1. Web Protection (Windows 8.1+)
    2. Sophos Client Firewall (Windows 8.1+)
    3. Malicious Traffic Detection (MTD).

    Given you are running Central, 2 is not applicable.  

    Can you rule our the 3rd, MTD, this seems most likely? 

    In the Threat Protection policy applied to a test client, if you disable the option: "Detect network traffic to command and control servers", do the messages stop?

    Can you provide a few examples of the events you are seeing?

    Regards,

    Jak

     

  • Just noticed the same thing here.  I'm even seeing it on a machine that I uninstalled the software on, but it must have left something that's causing all the Audit Failures to pile up.  Not seeing it on same exact machine that never had Sophos / SC installed.

  • We're seeing the same thing here and have for some time.

    Two odd things about it

    • it happens on some machines and not others (and I think we have Sophos pretty much everywhere)
    • it seems to complain about common packets on ordinary ports (e.g. DHCP and LLMNR)

    I forget when I first saw this.  We see it here on both workstations and servers and across multiple versions of Windows.  Googling for "security event 5152" turns up quite a few hits.  I'm guessing that many of these are Sophos-related and many are not.  Most of the hits that I have looked at either end with no resolution or end with auditpol.

    Until today, I didn't know who to blame.  I recently received a new VM and today I noticed that 5152s were being logged there.  I quickly grabbed the security event log contents before they wrapped.  I found the first occurrence of a 5152 and examined the application, system and security event logs for events that happened just before this first 5152.  The thing that happened just before the 5152s started flooding the security event log is that Sophos Endpoint Firewall was installed and started.

    Disabling the message with auditpol seems like the wrong approach to me.  The ideal solution involves Sophos EFW and the Windows firewall infrastructure working together in a way that

    • doesn't result in the security event log filling up with warnings about DHCP packets (unless those packets contains some kind of exploit) and other common packets
    • but still reports activity on unexpected ports and reports malformed packets on common ports

    [later edit: I just dug through the 5152s on this VM.  The top 3 sources in this case are (in order of decreasing frequency)

    1. UDP DNS responses from the domain controller
    2. ICMP traffic to the domain controller
    3. HTTPS responses from akamai]

    [even later edit: I just received a new corporate laptop.  It's getting the 5152s.  It now appears to be phoning home when these incidents happen (at least some of the time).

    In C:\ProgramData\Sophos\Endpoint Firewall\Logs\Endpoint Firewall.log I see pairs of lines like this:

    2018-06-12 11:35:00.001 [5448:2856] ALWAYS - Application Blocked. Sending Block Event XML = <?xml version="1.0" encoding="utf-8"?>
    <event type="endpointfirewall.block"><timestamp>20180612 113459</timestamp><applicationName>swi_fc</applicationName><executablePath>C:\program files (x86)\common files\sophos\web
    intelligence\swi_fc.exe</executablePath></event>
    These appear to correspond to a cluster of several dozen 5152s, which appears to correlate with port 80 and port 443 activity from Microsoft Edge, probably in connection with the "Top sites and suggested content" that it uses to fill in a new tab (which I've since turned off).
     
    A conjecture - this smells somewhat like AI (or rather AI in its current usage, as a shorthand for deep recurrent neural networks).
    1. it's probably getting it right most of the time (with some tolerable amount of false positives and false negatives)
    2. it fits the context (a very large dataset that might be suitable for machine learning)
    3. nobody's offering any explanation on why it's doing this (because you can't explain why a deep RNN is making its choices and it can't explain itself.  And then there's the rifle/turtle problem and the 45 MPH stop sign, both of which are disturbing in a security context)]