If you are still experiencing telephony issues with our Sophos Support phone lines in Latin America, please raise a case via SophServ, or webform. We apologize for this inconvenience.

Question about URL filtering

Does URL filtering scan only browser traffic or does it scan all HTTP connections no matter what program makes the connection? I'm thinking of a situation where malicious program tries to download more payloads from infected servers in the backround. Is URL filtering able to block that or will those connections be invisible to sophos home?

  • HI Ilkka, 

    The URL would filter a malicious traffic from your system. It should able to block the URL via non-browser request. Let me check and update you further, in the mean time could you test on your end.

  • In reply to Aditya Patel:

    Thank you for your answer but I did some testing and found out that sophos home is not blocking malicious urls from other programs than browser! I tested this by trying to download malware file from malc0de database and when I paste the url in browser i get sophos URL warning and the file is not downloaded. However when i installed wget for windows and tried to download the same url with wget, the infected file downloaded successfully.

    So eiher sophos home url filtering is working only with browsers or something is wrong in my system. 

  • In reply to Ilkka Ruuskanen:

    I'm seeing similar things. 

    Approach: Use Eicar.org antivirus testfiles to download a .com and a .zip file referenced by an http:// URL which should trigger antivirus/anti-malware products participating in EICAR project. Download via 1) a Browser and 2) WinWget for Windows

    Results:

    1) Browser: If I paste the URL in Firefox browser, I get a message that the page is blocked by Sophos. See screenshot 1.

    2) WinWget: It appears to be downloaded to the computer. Sophos then indicates there is a threat then proceeds to delete it. See screenshots 2 and 3.

    So it appears on the surface that the URL filtering is focused on browser based downloads. Maybe http downloads is different than wget downloads as far as implementation approaches but achieves the same objective.  However, the bottom line is that Sophos recognized the threats and dealt with it.

    Patrick

  • In reply to Ilkka Ruuskanen:

    Yeah as  points out it is browser only. Im very familiar with the Sophos business product and this is essentially web protection/control which is purely focused on common browsers. For instance weird obscure browsers like Kmelon work without URL filtering.

    The technology is a different based on the operating system (although I am unsure if this is the case in the home edition.. they may all use winsock layer as I am using windows 7). Windows 7 and older use a Winsock layer - A layered service provider as it is called to intercept browser traffic. This tech is specific to the browsers and the browser must support and use it which IE, Chrome, Firefox , Safari all use. You can run the command at the CLI "netsh winsock show catalog" and see the Sophos Layer loaded. You can also reset this is troubleshooting.

    For Windows 8 plus the tech should be using the Windows Filtering Platform (WFP) layer which is the more modern way to do this kind of filtering in the windows platform (dont ask me about Macs). Technically WFP ties into the Windows Firewall directly so should be able to apply to non-browser based apps as it applies to all network traffic but it is possibly hampered or unable to do so.

    In the enterprise product there is what is called Malicious Traffic Detection that blocks non-browser HTTP/HTTPS apps to malicious sites. I dont think this is available in the home edition.