Hi all,
We're looking at enabling SSL Inspection on the Endpoints with XDR Advanced.
However, this always has the potenial to block applications or websites from working. Is there a log on Sophos Central I can used to find where SSL Decryption may have blocked something specifically? Not just the general Web Block logs?
Hi David,
The main log here is the SophosNetFilter.log under: "C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\".
You can increase the logging for the component in ESH:
This will create: LogLevel 0 DWORD under: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Logging\NTP\SophosNetFilter.exe to enable DebugLevel, so you don't have to use ESH but it's probably easier with physical access but you could do it from a cmd line with this info if needed.
You can always add exceptions and categories that shouldn't be inspected if needed in policy.
https://cloud.sophos.com/manage/config/settings/ssl-tls-decryption
At the client to check, under:
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\20250102171622312090\web_protection
Where: 20250102171622312090 is the latest policy (timestamp) as pointed to by the latest REG_SZ value under the parent key: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\
https_decrypt_enabled will show if decryption is enabled.
https_decrypt_excluded_categories will have the cat ids that aren't decrypted .
https_decrypt_excluded_sites will list the specific sites you may define.
Quote