This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Visual studio 2017 - nuget package not working

Browsing the packages I get the error shown in the picture below.

I have allowed the bypass of web protection with the following filtering options that work.
I don't see anymore the nuget.org and msecnd.net calls.

Checking the web filtering log (the complete is at the end of this page) I see:
2017:08:23-10:42:14 serestsophos httpproxy[9828]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdfae1600" function="connect_server" file="dns.c" line="1270" message="connect() on AF 2 socket to 93.184.221.200 failed: Network is unreachable"

Also, some times, I see:
2017:08:23-10:31:49 serestsophos httpproxy[9828]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdc6d9600" function="ssl_raw_read" file="ssl.c" line="772" message="SSL_ERROR_SYSCALL: ret=-1 error=Connection reset by peer"

Google search for "sophos connect() on AF 2 socket" didn't return any solution.
Google search for sophos nuget.org returned a reference to Trojan.
No virus found scanning all computer with sophos virus removal tool.

I have dony many, many other search with no luck.

Any Idea ?

 

 

 

 


2017:08:23-10:31:49 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.101.132" dstip="23.205.188.204" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="607" request="0xdc35b000" url="cdn.odc.officeapps.live.com/.../sharepoint_16_1.png" referer="" error="" authtime="0" dnstime="1220964" cattime="4651" avscantime="1178" fullreqtime="1486345" device="0" auth="0" ua="Microsoft Office/15.0 (Windows NT 10.0; Microsoft Visio 15.0.4953; Pro)" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" application="office" app-id="1156" sandbox="-" content-type="image/png"
2017:08:23-10:31:49 serestsophos httpproxy[9828]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdc6d9600" function="ssl_raw_read" file="ssl.c" line="772" message="SSL_ERROR_SYSCALL: ret=-1 error=Connection reset by peer"
2017:08:23-10:31:49 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.101.132" dstip="23.205.188.204" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="705" request="0xdf6baa00" url="cdn.odc.officeapps.live.com/.../xml referer="" error="" authtime="0" dnstime="1206399" cattime="105" avscantime="2452" fullreqtime="1480332" device="0" auth="0" ua="Microsoft Office/15.0 (Windows NT 10.0; Microsoft Visio 15.0.4953; Pro)" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" application="office" app-id="1156" sandbox="-" content-type="text/xml"
2017:08:23-10:31:49 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.101.132" dstip="23.205.188.204" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="607" request="0xdf586000" url="cdn.odc.officeapps.live.com/.../sharepoint_16_1.png" referer="" error="" authtime="0" dnstime="1221832" cattime="736" avscantime="1954" fullreqtime="1634883" device="0" auth="0" ua="Microsoft Office/15.0 (Windows NT 10.0; Microsoft Visio 15.0.4953; Pro)" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" application="office" app-id="1156" sandbox="-" content-type="image/png"
2017:08:23-10:31:49 serestsophos httpproxy[9828]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdf586000" function="ssl_raw_read" file="ssl.c" line="772" message="SSL_ERROR_SYSCALL: ret=-1 error=Connection reset by peer"
2017:08:23-10:33:05 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.101.132" dstip="65.55.44.109" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7730" request="0xdfae1600" url="vortex.data.microsoft.com/" referer="" error="" authtime="0" dnstime="19711" cattime="391" avscantime="0" fullreqtime="110358640" device="0" auth="0" ua="" exceptions="av,sandbox,ssl,fileextension,size"
2017:08:23-10:36:03 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.101.132" dstip="13.107.4.52" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="22" request="0xdf772c00" url="www.msftconnecttest.com/connecttest.txt" referer="" error="" authtime="0" dnstime="3615721" cattime="1060176" avscantime="8365" fullreqtime="4811075" device="0" auth="0" ua="" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="text/plain"
2017:08:23-10:36:59 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.101.132" dstip="2.16.13.93" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1086" request="0xdc359200" url="cdn.onenote.net/.../ referer="" error="" authtime="0" dnstime="35873" cattime="215" avscantime="4218" fullreqtime="147562" device="0" auth="0" ua="Microsoft-WNS/10.0" exceptions="" category="105" reputation="trusted" categoryname="Business" application="office" app-id="1156" sandbox="-" content-type="text/xml"
2017:08:23-10:38:07 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.101.132" dstip="216.58.205.227" user="" group="" ad_domain="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdf774400" url="clientservices.googleapis.com/.../seed referer="" error="" authtime="0" dnstime="3453" cattime="216" avscantime="0" fullreqtime="1235542" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36" exceptions="" category="178" reputation="trusted" categoryname="Internet Services" application="googapis" app-id="176"
2017:08:23-10:40:06 serestsophos httpproxy[9828]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.101.132" dstip="65.55.44.109" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11986" request="0xdb7c5000" url="vortex.data.microsoft.com/" referer="" error="" authtime="0" dnstime="30367" cattime="387" avscantime="0" fullreqtime="230936532" device="0" auth="0" ua="" exceptions="av,sandbox,ssl,fileextension,size"
2017:08:23-10:42:14 serestsophos httpproxy[9828]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdfae1600" function="connect_server" file="dns.c" line="1270" message="connect() on AF 2 socket to 93.184.221.200 failed: Network is unreachable"
2017:08:23-10:42:14 serestsophos httpproxy[9828]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdf858600" function="connect_server" file="dns.c" line="1270" message="connect() on AF 2 socket to 93.184.221.200 failed: Network is unreachable"
2017:08:23-10:42:14 serestsophos httpproxy[9828]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xdb7c3e00" function="connect_server" file="dns.c" line="1270" message="connect() on AF 2 socket to 93.184.221.200 failed: Network is unreachable"



This thread was automatically locked due to age.
  • Disabling web protection and any proxy I Get a time out.

    What is strange is that something hate api.nuget.org in sophos utm; the traceroute is blocked at utm while others traceroute go throu.
    Obviously the icmp settings are the same.

  • It is possible that access to nuget is blocked due to Troj/Eterocks-C Trojan virus?

    See https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Eterocks-C/detailed-analysis.aspx

    In that case how can I allow access to nuget for the other packages ?
    Nuget is very important in microsoft visual studio ?

  • Fabio, I don't understand why the IP you get for api.nuget.org is a server in Georgia instead of one in Europe, but maybe Microsoft doesn't have any there.  In any case, the trace routes demonstrate that this is a problem outside of your control.

    From Oklahoma City and a lookup tool in Dallas, I get 72.21.81.200 for cs9.wpc.v0cdn.net - can you tracert to that numeric IP?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • From here (the Netherlands) I can succesfully traceroute to api.nuget.org

     

    C:\Temp>tracert -w 30 api.nuget.org

    Tracing route to cs9.wpc.v0cdn.net [93.184.221.200]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms ***** [192.168.1.253]
    2 <1 ms <1 ms <1 ******
    3 6 ms 7 ms 7 ms ******
    4 7 ms 7 ms 6 ms *******
    5 * * * Request timed out.
    6 15 ms 10 ms 26 ms nl-ams14a-ri1-ae8-0.aorta.net [84.116.135.38]
    7 28 ms 10 ms 12 ms 213.46.182.154
    8 10 ms 10 ms 10 ms 152.195.105.129
    9 10 ms 9 ms 10 ms 93.184.221.200

    Trace complete.

    From the trace I have masked (*) IP's belonging to my own ISP, but they are shown in my tracert.

    Together with Bob I think you may have a problem outside your environment. If you do a: NSLOOKUP api.nuget.org what do you get in back, I'm getting the following:

    Non-authoritative answer:
    Name: cs9.wpc.v0cdn.net
    Addresses: 2606:2800:133:206e:1315:22a5:2006:24fd
    93.184.221.200
    Aliases: api.nuget.org
    db16.wpc.azureedge.net


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I have connected a Laptop directly to internet using one of my available IP as in the image below.

    While the traceroute from network behind sophos and TMG ends at Sophos

    the tracert from laptop is perfect.
     

    Apart the traceroute to Nuget from laptop, from visual studio installed on laptop nuget works.

    The network protected by sophos has 2 internet connection:
    - The one connected to the switch.
    - Another with PPPoE.
    I tried to reach  api.nuget.org with only one network enabled but in both cases I wasn't successful.

    I suppose there is something in sophos protecting from  https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Eterocks-C/detailed-analysis.aspx
    t
    hat blocks access to nuget but I am unable to find it.

     

  • Fabio, both apijnappels and I are behind a UTM and our traceroutes are not blocked.  Are you certain you're not seeing anything interesting when you do #1 in Rulz?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have followed your suggestion and I have done a lot of checks.
    Anyway  no entry in Intrusion Prevention, Application Control and nothing interesting in Firewall log.
    As conclusion I wasn't able to have Nuget manager working with intrusion prevention enabled.

    I have used wireshark searching the trafic flow on external interface without results.

    The sub optimal working configuration I have is:

    • Web Filtering standard mode
    • Https: decript and scan
    • No exceptions
    • On client - Internet option -connection - lan settings - advanced - Do not use proxy server for adresses beginning with --> *.nuget.org/*

    With this configuration everything  works.
    The before mentioned trojan is a risk but enabling client to bypass web filtering only when a well known package is necessary the risk is almost zero.

    I wish to thank  and  for cooperation.

  • You're welcome, Fabio, and thank you for completing the thread for those that will follow here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA