Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 34 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 13270 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

So... why are NVIDIA drivers suddenly taboo to download?

Amodin

Not changed a thing on XG, even downloaded these drivers, using the same application, several times in the past. For the first time in weeks, I haven't had to mess with anything.  This worked just fine before.

I even have a 'Safe Downloading' exception for NVIDIA, yet the firewall is denying the download.  Today, the moon or the sun, or someone screwing with something must be the issue.  Had this happen before on UTM with Windows Updates, and then it magically fixed itself days later. 

What prompts this behavior to change and decide, "Oh well today I think it's okay, so I'm going to allow a download.  Yesterday didn't work for me."

I really don't understand this logic with the firewall.

messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" user="" user_group="" web_policy_id="12" web_policy="Default Policy" category="Download Freeware & Shareware" category_type="Objectionable" url="">international-gfe.download.nvidia.com" content_type="" override_token="" src_ip="172.18.0.98" dst_ip="192.229.211.70" protocol="TCP" src_port="63610" dst_port="443" bytes_sent="0" bytes_received="0" domain="international-gfe.download.nvidia.com" exception="" activity_name="" reason="" user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="3501233152" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"


This thread was automatically locked due to age.
  • 0 in reply to alan weir

    Essentially i gave this URL to the Labs to get categorized. 

    Using this: support.sophos.com/.../filesubmission

    __________________________________________________________________________________________________________________

  • 0 in reply to Amodin
    Amodin said:
    The lazy administrator would probably isolate it as much as you did to allow it but no other Shareware/Freeware, and maybe make a post about it for support to see.

    so in other words they would make an exception in the web filter to allow downloads.nvidia.com or allow the freeware and shareware category just like what the manual and Sophos Assistant tells you to do. I can't think of any other way around it.

    Now us.downloads.nvidia.com is classified as Software Updates,

    and downloads.nvidia.com is classified as Information Technology

  • 0 in reply to Amodin

    Check Intelix now: https://intelix.sophos.com/ 

    __________________________________________________________________________________________________________________

  • 0 in reply to alan weir

    The lazy administrator would probably isolate it as much as you did to allow it but no other Shareware/Freeware, and maybe make a post about it for support to see.

    The ones that cry foul add it to their list of reasons why they curse the software daily when they login, lol. But they have no other choice because it won't change.

    My wife would be considered a subject matter expert in risk mitigation and forensic scheduling related to construction, and her scheduling software is such a joke, she has to box with it enough to make it right without compromising the integrity of the schedule so it can still be empirically proven. Oracle owns the software, and they bought it with absolutely no idea how it works and why it has some of the dumbest logic in the software that would never be used in the industry - yet they won't take it out because of hurt pride and all (my opinion shared amongst a lot of others).

    At any rate, off-track.  I'll stop here, shrug my shoulders and move ahead with other plans.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Based on Lucar’s answer all software and firmware updates should be classified as shareware eg XG firmware updates anti whatever to the desktop etc.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Amodin

    How would an actual network admin handle this issue? Do most companies just contact Sophos support, and they remotely administer the firewall? Wanting to know how it is actually handled in a real world scenario, and the correct, recommended method. 

  • 0 in reply to LuCar Toni

    Then by your definition, any driver set to update a computer or peripheral should be categorized as Shareware/Freeware and blocked as such, including but not limited to, Microsoft Updates.  Drivers are no different.

    LuCar Toni said:
    Try: ^[A-Za-z0-9.-]*\.download\.nvidia\.com/

    This is exactly the same regex that I posted above, and it doesn't work either.

    alan weir said:
    Which is why granularity rules are recommended, and the web exception should now only allow nvidia driver downloads from China/U.S. with no risk of allowing other downloads from China.

    But that's the thing, today was not a China-based CDN, and frankly neither was the original one, as it went to the same IP address, which is U.S. based on ARIN and ASN number.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to alan weir

    Try: ^[A-Za-z0-9.-]*\.download\.nvidia\.com/

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The issue is that the nvidia drivers are more like Software Updates than shareware and should be categorized as that. The categorization makes no distinction between Freeware and Shareware which are lumped together as an umbrella term in the same category.

    The other issue is that even though Amodin was blocking downloads from China, the driver downloads were allowed once the Shareware exception was made, because of your explanation above.

    Which is why granularity rules are recommended, and the web exception should now only allow nvidia driver downloads from China/U.S. with no risk of allowing other downloads from China.

  • 0 in reply to Amodin

    Why is Nvidia not Share/Freeware? Isnt this the definition of Freeware, if you can download it without any restricition and use it? https://en.wikipedia.org/wiki/Freeware 

    __________________________________________________________________________________________________________________

Unfiltered HTML