Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 3 answers
  • Subscribers 5 subscribers
  • Views 6389 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antivirus Scanning Interfering with Pandora.

fnbrowning

Sophos UTM9 running Firmware version:  9.702-1.  Issue:  Pandora streaming frequently skips or stops playing on Android devices while connected to LAN.

Detail: I've never seen this before. Behind the Sophos UTM, tablets and smartphones running the last two versions of Android will skip/jump through Pandora songs or not play altogether. Moving any of the devices to another network allows them to function normally.   Testing has revealed that it's the Sophos UTM Antivirus scanning.  With antivirus scanning OFF, Pandora streams as normal.  With antivirus scanning ON, Pandora skips songs, jumps and often fails to stream.  Antivirus scanning set to Single scan (max performance)

After the issue was determined to be the AV. Pandora was put in the Filtering Options Exception list. Skipping "Antivirus / Sandstorm" for pandora.com.  This allows streaming with AV ON and alleviates ~70% of the skipping/jumping -> But Does Not Solve The Issue Completely.

Solution Desired:  Please assist me with leaving Antivirus ON for security but writing better Exception Rule(s) to allow Pandora to stream unimpeded. 



This thread was automatically locked due to age.
Parents
  • 0

    Hi and welcome to thee UTM Community!

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/45070/master-list-of-web-exceptions/308859#308859

    Found by a Google on site:community.sophos.com/products/unified-threat-management/f pandora.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I have read the link you posted, and based on that information, I have implemented the changes below.  I am sorry to report that with the antivirus scanning /ON there is no change in the Pandora behavior on mobile tablets and devices.  

    Here is the current programming:

    Skipping: Authentication / Block by download size / Antivirus / Sandstorm / Extension blocking / MIME type blocking / URL Filter / Content Removal / SSL scanning / Certificate trust check / Certificate date check / Do not display download/scan progress page
    Matching these URLs: pandora.com
    ^https?://[A-Za-z0-9.-]*pandora.com/
    ^https?://[A-Za-z0-9.-]*cdn.com/
    and Going to these categories of websites: Internet radio/TV Streaming media

     

    If I turn antivirus /OFF Pandora plays normally on tablets and devices. So, we're still missing some key piece.

  • 0 in reply to fnbrowning

    Show us  a line or two from the Web Filtering log when Pandora is blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson;

    Thank you for your interest. Hope this helps!   The Android smartphone was at "192.168.200.101" and it was skipping every song on Pandora.

    2020:05:11-19:23:44 portal httpproxy[26802]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.200.101" dstip="172.217.4.227" user="" group="" ad_domain="" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x8526a00" url="connectivitycheck.gstatic.com/generate_204" referer="" error="" authtime="0" dnstime="2516" aptptime="94" cattime="354" avscantime="0" fullreqtime="54282" device="0" auth="0" ua="Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/M4B30Z)" exceptions="" category="177" reputation="trusted" categoryname="Content Server" country="United States"
    2020:05:11-19:23:45 portal httpproxy[26802]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.200.101" dstip="172.217.4.227" user="" group="" ad_domain="" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x8526a00" url="connectivitycheck.gstatic.com/generate_204" referer="" error="" authtime="0" dnstime="1" aptptime="435" cattime="324" avscantime="0" fullreqtime="105994" device="0" auth="0" ua="Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/M4B30Z)" exceptions="" category="177" reputation="trusted" categoryname="Content Server"

     

    2020:05:11-19:25:59 portal httpproxy[26802]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.200.101" dstip="208.85.42.31" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5655" request="0x8916700" url="mediaserver-cont-sv5-1-v4v6.pandora.com/" referer="" error="" authtime="0" dnstime="1" aptptime="404" cattime="373" avscantime="0" fullreqtime="283765" device="0" auth="0" ua="" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size,patience"

     

  • 0 in reply to fnbrowning

    Well, those all look like the traffic passed, so I guess we'll need to look for other lines, we're looking for ones with  statuscode="4xx" or "5xx".

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Follow up on Bob's suggestion you can narrow your log activity by check only for "log blocked pages" located edit filter action / additional options / activity logging.  Then open live log and start playing Pandora and narrow your search with filter focus on 192.168.200.101 and hopefully you should see the blocked traffic only.

     

    Good Luck

  • 0 in reply to PatrickLee

    BAlfson, Bob;

     

    Does this help?

     

    2020:05:13-19:37:39 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="209.196.209.25" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x867e700" url="t3-5.p-cdn.us/.../6558331659513584368.mp4 referer="" error="" authtime="0" dnstime="912" aptptime="4796" cattime="358" avscantime="0" fullreqtime="60500" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:40 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="209.196.209.25" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcc4aca00" url="t3-3.p-cdn.us/.../6364499502242511083.mp4 referer="" error="" authtime="0" dnstime="825" aptptime="7560" cattime="364" avscantime="0" fullreqtime="68530" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:40 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="209.196.209.25" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd9056000" url="t3-3.p-cdn.us/.../6364499502242511083.mp4 referer="" error="" authtime="0" dnstime="1029" aptptime="7090" cattime="460" avscantime="0" fullreqtime="56361" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:41 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="209.196.209.25" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd11f7500" url="t3-3.p-cdn.us/.../6364499502242511083.mp4 referer="" error="" authtime="0" dnstime="858" aptptime="3870" cattime="269" avscantime="0" fullreqtime="90449" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:43 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="209.196.209.25" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe09e8300" url="t3-3.p-cdn.us/.../6364499502242511083.mp4 referer="" error="" authtime="0" dnstime="1161" aptptime="7300" cattime="502" avscantime="0" fullreqtime="80917" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:46 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.27" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xfe2bc00" url="t3-1.p-cdn.us/.../6330350743481032985.mp4 referer="" error="" authtime="0" dnstime="1150" aptptime="7201" cattime="505" avscantime="0" fullreqtime="194704" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:46 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.27" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9975100" url="t3-1.p-cdn.us/.../6330350743481032985.mp4 referer="" error="" authtime="0" dnstime="1071" aptptime="7185" cattime="448" avscantime="0" fullreqtime="196981" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:48 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.27" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdacb8a00" url="t3-1.p-cdn.us/.../6330350743481032985.mp4 referer="" error="" authtime="0" dnstime="1176" aptptime="7271" cattime="507" avscantime="0" fullreqtime="186190" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:50 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.27" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcb778e00" url="t3-1.p-cdn.us/.../6330350743481032985.mp4 referer="" error="" authtime="0" dnstime="1105" aptptime="7296" cattime="508" avscantime="0" fullreqtime="170551" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:52 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.24" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd9059100" url="t2-2.p-cdn.us/.../3427744959097443024.mp4 referer="" error="" authtime="0" dnstime="1139" aptptime="7141" cattime="502" avscantime="0" fullreqtime="172228" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:52 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.24" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xfce5500" url="t2-2.p-cdn.us/.../3427744959097443024.mp4 referer="" error="" authtime="0" dnstime="1153" aptptime="7203" cattime="474" avscantime="0" fullreqtime="181989" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:54 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.24" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa73c000" url="t2-2.p-cdn.us/.../3427744959097443024.mp4 referer="" error="" authtime="0" dnstime="808" aptptime="6201" cattime="371" avscantime="0" fullreqtime="175930" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:56 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.42.24" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd11f8a00" url="t2-2.p-cdn.us/.../3427744959097443024.mp4 referer="" error="" authtime="0" dnstime="1246" aptptime="7316" cattime="487" avscantime="0" fullreqtime="179711" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="" category="177" reputation="neutral" categoryname="Content Server" country="United States" content-type="application/octet-stream" reason="range"
    2020:05:13-19:37:57 portal httpproxy[26802]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.200.101" dstip="208.85.46.25" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x99cb100" url="audio-dc6-t2-1-v4v6.pandora.com/.../6573635434199770188.mp4 referer="" error="" authtime="0" dnstime="246" aptptime="7110" cattime="574" avscantime="0" fullreqtime="104566" device="0" auth="0" ua="Pandora/2003.2 Android/6.0.1 hammerhead (ExoPlayerLib1.5.14.1)" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size,patience" reason="range"
    2020:05:13-19:37:57
  • 0 in reply to fnbrowning

    That's what we needed - reason="range" - that breaks ant-virus scanning.  If this is a home-use situation, you might just want to create an anti-virus Exception for the entire Pandora netblock, 208.85.40.0/21.  If a business, I would use DNS Group definitions for the FQDNs being blocked.  Then again, maybe changing the Exception for *cdn.com to *cdn.us would resolve this.

    The last line is not for the cdn.us, but for a subdomain of Pandora.com and it already qualified for an AV Exception.  If you're using the Proxy in Standard mode, you will want to skip the Proxy for *.pandora.com in your browser.  If in Transparent, I bet you're stuck with skipping the entire 208.85.40.0/21 subnet.

    Please let us know your result.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    This is for an adult-only home situation, and after doing some reading, I'm rethinking my question somewhat.

    I really don't want to block any content, or websites, or enforce any safe search.  The only reason I turned on the filtering at all was to:

    1) Enable Antivirus,

    2) Block spyware infection and communication, and

    3) Block dangerous extensions.

    So what do you gentlemen suggest for web filtering?  Standard or Transparent?  And how should I write the one and only custom exception I appear to need for pandora.com?

     

  • 0 in reply to fnbrowning

    That's a great post!  Virtually everyone asks why their solution doesn't work and never offers an insight into what they wanted to have happen.  I didn't even have to ask - refreshing!

    I would use a Web Filtering Profile in Standard with the default Profile in Transparent.  In the Transparent Mode Skiplist, skip the entire 208.85.40.0/21 subnet.  In browsers that allow you to skip the Proxy for *.cdn.us and *.pandora.com, configure to use the UTM as an explicit proxy.  Now, Pandora will work on all your devices and those that use Standard mode will skip the the Proxy for the fewest IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to fnbrowning

    That's a great post!  Virtually everyone asks why their solution doesn't work and never offers an insight into what they wanted to have happen.  I didn't even have to ask - refreshing!

    I would use a Web Filtering Profile in Standard with the default Profile in Transparent.  In the Transparent Mode Skiplist, skip the entire 208.85.40.0/21 subnet.  In browsers that allow you to skip the Proxy for *.cdn.us and *.pandora.com, configure to use the UTM as an explicit proxy.  Now, Pandora will work on all your devices and those that use Standard mode will skip the the Proxy for the fewest IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML