"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
We'd love to hear about it! Click here to go to the product suggestion community
I've got a Sophos Web Appliance running v18.104.22.168
I have a test machine running Windows 10 but it's unable to download any updates or new apps.
The SWA is not showing anything blocked or warned just what sites I would site expect to be shown (v10.vortex-win.data.microsoft.com, mobile.pipe.aria.microsoft.com, wns.windows.com, storeedgefd.dsx.mp.microsoft.com etc.)
This is a brand new install of Windows 10.
If I connect the Windows 10 computer to my phone via as a mobile hotspot it downloads everything correctly.
Does this article help? https://community.sophos.com/kb/en-us/119753
In reply to Bianson:
Does anyone have this working? I've added all the recommended MS sites to the local site list as globally allowed but neither Windows Store apps or updates will download.
In reply to William Bain:
Do you have https scanning and certificate validation enabled? Some of the torrent servers have been known to use self signed certificates. Thank you.
And you've added microsoft.com as trusted?
I've disabled scanning and cert inspection for testing
I've also noticed that if I point the traffic to our Fortinet proxies or TMGs the downloads work but the updates still fail.
yes I have, and all the other sites recommended in the MS articles
Most of the W10 issues I have seen going through the swa are related to some of MS's back of house servers. I have found a couple with self signed certificates as well as servers that still use SSLv3 .. The appliance will instantly drop a V3 connection and would only be seen in the logs.
I recommend that you export the sophos.log file to a syslog server.
you will get something like this:
h=10.99.115.13 u="DOMAIN\\johnsmith" s=200 X=- t=1336666489 T=284453Ts=0 act=1 cat="0x220000002a" app="-" rsn=- threat="-" type="text/html" ctype="text/html"
sav-ev=4.77 sav-dv=2012.5.10.4770003 uri-dv=- cache=- in=1255 out=26198 meth=GET ref="-" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
req="GET http://www.google.ca/ HTTP/1.1" dom="google.ca" filetype="-" rule="0" filesize=25815 axtime=0.048193 fttime=0.049360 scantime=0.011 src_cat="0x2f0000002a"
labs_cat="0x2f0000002a" dcat_prox="-" target_ip="22.214.171.124" labs_rule_id="0" reqtime=0.027 adtime=0.001625 ftbypass=- os=Windows authn=53 auth_by=portal_cache
dnstime=0.000197 quotatime=- sandbox=-the log definition can be found in the help or online here : http://wsa.sophos.com/docs/wsa/webhelp/index.html#swa/concepts/InterpretingLogFiles.htmlYou will need to use a combination of ssllabs and the output of the logs to identify either bad servers or problematic ones. RSN ACT GET will give you more info.The last issue you will have is W10 updates use torrents to transfer updates. Byte Range requests are blocked by default, only a site that is set as trusted will allow partial file requests.