Since installing the Sophos Endpoint Agent on computers the Windows Event Security log is filling with over a hundred events per minute. The Audit Failure is event is ID 5152: The Windows Filtering Platform has blocked a packet. I've looked at https://docs.microsoft.com/en-us/windows/device-security/auditing/event-5152
A few things:
1. Why doesn't the Sophos agent show any events, errors, warnings, etc?
2. Microsoft is saying to monitor the source folders to see if bad things are happening. This is in the XML and with the plethora of events almost impossible to review.
3. Even if I can ignore the events, they're still causing the logs to rollover every day or so
Is anyone else seeing this behavior? What do I need to do to make this stop filling the event logs? Is Sophos really blocking packets and not reporting it in the console or agent?
Thank you.
This thread was automatically locked due to age.
