Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I'm getting thousands of these a day, most times (99.99%) with internal sources, sometimes with an external source.Firmware is 17.1.3 MR3
I have two XG applainces, one 310 and 105w. On the XG310 17.5.0 GA and on XG105w 17.5.3 MR-3. On both devices I have "Data sent on stream after TCP Reset received"Then on 105w I have done "set ips tcp_option detect_anomalies disable" and there is no more that kind of network intrusions in the last two hours. I will be watching and when it is ok I will try to implement this on bigger XG.
In reply to FloSupport:
I am getting these as well, I did follow the KB, what confusing me is I am on XG105w 17.5.3 MR-3. So I would think Sophos would have fixed this by now without me having to use the KB. Since they still have the KB in place and are not sending the fix out with the latest release I am assuming that this is not completely fixed and the KB is a workaround until Sophos can figure out why there are so many false postives?
What I am looking for here is why was it enabled in the first place and what threats am I exposing the network too if I disable it?
In reply to badrobot:
The fix to this issue was the setting being disabled by default starting with SFOS v17.1.4 MR-4, so I apologize as it seems this did not occur for you.
As I mentioned previously:
This specific IPS signature has been disabled by default, starting with SFOS v17.1.4 MR-4 due to customers experiencing excessive false-positives.
These IPS signatures are triggered by TCP anomalies (includes RST packets received outside of window). This was causing some customers to experience valid RST packets being false-positively dropped.
Customers still experiencing excessive false-positives should raise a support case for further investigation. However, this setting can also be disabled via the console command (set ips tcp_option detect_anomalies disable) to allow the TCP anomaly decision to be made by the host client OS instead if desired.
Please continue to monitor and let me know if you run into any further issues.