Wild-card DNS definitions in Transparent Skip list?

Hi,

Greetings.

Skip Transparent Mode option is only meaningful if the Web Filter runs in transparent mode. Hosts and networks listed in the Skip transparent mode hosts/nets boxes will not be subject to the transparent interception of HTTP traffic.To allow HTTP traffic (without proxy) for hosts and networks, Allow HTTP/S traffic for listed hosts/nets check box is selected.

When you define a host under this mode and keep the mouse pointer over the host, it will reflect resolved or unresolved. A wildcard DNS host cannot be defined as a wildcard host cannot be resolved.

I suggest you to configure an exception with RegEx by navigating through the options Web Protection>Filtering Options>Exceptions.

This will also give you granular definition to filter the URLs.

Hope that helps.

Thanks

Sachin Gurung

Hi, Thank you Sachin

I am running in transparent mode, and I did add those exceptions in the Filter Options, to the Sophos Services

The " ^https?://[A-Za-z0-9.-]*\.sophosupd\.com/ " should have been all that was needed to get the cloud AV to install. This had no effect. Unless my RedEx is wrong..

The endpoints through an error and abort installation

[ 1280] WARN WindowsProxyDiscoveryWrapper::GetProxyForUrl Failed to get the automatic proxy configuration. The error code was 12180.

Adding dci.sophosupd.com to the destination field in  skip transparent mode works,

I was hoping they would be [unresolved] until being called upon.

--------------------------

Edit

Ugh just noticed that Regex was for the https url and not the http one the product uses. Ill try adding that and see how it goes.

Hi,

The RegEx for dci.sophosupd.com will be ^https?://([A-Za-z0-9.-]*\.)?dci\.sophosupd\.com/.

Can you try an exception with this and let me know.

Hope that helps :)

Thanks

Sachin Gurung

These are the Exceptions that I believe you should have:

Cheers - Bob

Thank you both, I have not tried installing on any more win 10 boxes to test. 

Hi

So I have a new windows 10 box to test with, and I tried to install cloud AV with those exceptions. It still does NOT work. :(

The first 3 should be the ones BAlfson posted, the last one was the one Sachin posted..

The URL that is causing the issues is the http://dci.sophosupd.com/update. Adding that to the skip list fixes it, but not the proxy exception.

So I still have a bad RegEx, or there is a problem with the Sophos cloud AV product when it comes to working with transparent proxies. 

Is this a bug?

Hi

So I have a new windows 10 box to test with, and I tried to install cloud AV with those exceptions. It still does NOT work. :(

The first 3 should be the ones BAlfson posted, the last one was the one Sachin posted..

The URL that is causing the issues is the http://dci.sophosupd.com/update. Adding that to the skip list fixes it, but not the proxy exception.

So I still have a bad RegEx, or there is a problem with the Sophos cloud AV product when it comes to working with transparent proxies. 

Is this a bug?

Please show us the line from the Web Filtering log where the access to dci.sophosupd.com/update was blocked.

Cheers - Bob

Hi, yeah its strange it does not show it as being blocked, but the AV program, says that it cannot connect to server. That its proxy settings are not set.

It looks like the traffic is being captured by the exception RegEx because at the end of each line it says the exceptions applied to the request. exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size"

-----------------------------------------------------

UTM Proxy log Log

-----------------------------------------------------

2016:04:26-13:29:28 Acme httpproxy[9716]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.12.125" dstip="68.142.102.148" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Acme Default content filter action)" size="3463" request="0xa8fea000" url="dci.sophosupd.com/.../7797f67b4839fa14b6384883a6fc7264.dat" referer="" error="" authtime="0" dnstime="61" cattime="0" avscantime="0" fullreqtime="174873" device="0" auth="0" ua="SophosUpdate/5.0.0.39 SDDS/2.0 (u= JNVP5NOJ33 c= a23a1045-4a83-4b21-8ea0-6e55b54877ce i= 715dde83-3980-d496-3841-88d956c63610 )" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size"

2016:04:26-13:29:28 Acme httpproxy[9716]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.12.125" dstip="68.142.102.148" user="" ad_domain="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Acme Default content filter action)" size="0" request="0xe2c9d800" url="d1.sophosupd.com/.../sddsconf.xml" referer="" error="" authtime="0" dnstime="58" cattime="0" avscantime="0" fullreqtime="50522" device="0" auth="0" ua="SophosUpdate/5.0.0.39 SDDS/2.0 (u= JNVP5NOJ33 c= a23a1045-4a83-4b21-8ea0-6e55b54877ce i= 715dde83-3980-d496-3841-88d956c63610 )" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size"

2016:04:26-13:29:28 Acme httpproxy[9716]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.12.125" dstip="" user="" ad_domain="" statuscode="200" cached="1" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Acme Default content filter action)" size="173" request="0xe2c9d800" url="d1.sophosupd.com/.../sdds.CEPNG_1131.1.xml" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="2575" device="0" auth="0" ua="SophosUpdate/5.0.0.39 SDDS/2.0 (u= JNVP5NOJ33 c= a23a1045-4a83-4b21-8ea0-6e55b54877ce i= 715dde83-3980-d496-3841-88d956c63610 )" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size"

2016:04:26-13:29:28 Acme httpproxy[9716]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.12.125" dstip="68.142.102.148" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Acme Default content filter action)" size="3463" request="0xa8fea000" url="dci.sophosupd.com/.../7797f67b4839fa14b6384883a6fc7264.dat" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="130054" device="0" auth="0" ua="SophosUpdate/5.0.0.39 SDDS/2.0 (u= JNVP5NOJ33 c= a23a1045-4a83-4b21-8ea0-6e55b54877ce i= 715dde83-3980-d496-3841-88d956c63610 )" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size"

2016:04:26-13:29:28 Acme httpproxy[9716]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.12.125" dstip="68.142.102.148" user="" ad_domain="" statuscode="404" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Acme Default content filter action)" size="0" request="0xe2c9d800" url="d1.sophosupd.com/.../sddsconf.xml" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="70814" device="0" auth="0" ua="SophosUpdate/5.0.0.39 SDDS/2.0 (u= JNVP5NOJ33 c= a23a1045-4a83-4b21-8ea0-6e55b54877ce i= 715dde83-3980-d496-3841-88d956c63610 )" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size"

2016:04:26-13:29:28 Acme httpproxy[9716]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.12.125" dstip="" user="" ad_domain="" statuscode="200" cached="1" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Acme Default content filter action)" size="173" request="0xe2c9d800" url="d1.sophosupd.com/.../sdds.CEPNG_1131.1.xml" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="1625" device="0" auth="0" ua="SophosUpdate/5.0.0.39 SDDS/2.0 (u= JNVP5NOJ33 c= a23a1045-4a83-4b21-8ea0-6e55b54877ce i= 715dde83-3980-d496-3841-88d956c63610 )" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size"

-----------------------------------------------------

Sophos Cloud AV Log

-----------------------------------------------------

2016-04-26T17:29:33.069Z [ 6164] INFO WinMain =========================
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain SophosUpdate is starting.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain AutoUpdate version : 5.0.0.39
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain SophosUpdate version : 5.0.0.1
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Build : 99493
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain =========================
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Set process security
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Initialise COM.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Load config.
2016-04-26T17:29:33.069Z [ 6164] INFO `anonymous-namespace'::ReadFileContents Slurping file of size 868 bytes.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create registry reporter.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Load state.
2016-04-26T17:29:33.069Z [ 6164] INFO StatePersister::Load Loading state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create progress reporter.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create language neutral logger.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create downloader.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create installer.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create adapter writer.
2016-04-26T17:29:33.069Z [ 6164] INFO IPCBase::IPCBase IPCBase::IPCBase: Connected to shared memory A32951C539924a12B3C8F2FDA5A268E4
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create completion reporter.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Create update logic.
2016-04-26T17:29:33.069Z [ 6240] INFO `anonymous-namespace'::SenderThreadFn::operator() Sender thread started.
2016-04-26T17:29:33.069Z [ 6164] INFO WinMain Performing update.
2016-04-26T17:29:33.069Z [ 6240] INFO IPCSender::ProcessSend IPCSender::ProcessSend started
2016-04-26T17:29:33.069Z [ 6164] INFO UpdateLogic::Update Reporting update start.
2016-04-26T17:29:33.069Z [ 6240] INFO IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
2016-04-26T17:29:33.069Z [ 6164] INFO IPCSender::Write IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
2016-04-26T17:29:33.069Z [ 6240] INFO IPCSender::ProcessSend IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSStartUpdate" />
2016-04-26T17:29:33.069Z [ 6240] INFO IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
2016-04-26T17:29:33.084Z [ 6164] INFO UpdateLogic::SyncAndInstall Syncing products.
2016-04-26T17:29:33.084Z [ 6164] INFO SDDSDownloader::SyncInternal Adding Sophos Location: dci.sophosupd.com/cloudupdate
2016-04-26T17:29:33.084Z [ 6164] INFO SDDSDownloader::SyncInternal Adding Sophos Location: dci.sophosupd.net/cloudupdate
2016-04-26T17:29:33.084Z [ 6164] INFO SDDSDownloader::SyncInternal Username: JNVP5NOJ33
2016-04-26T17:29:33.084Z [ 6164] INFO SDDSDownloader::SyncInternal No manually configured proxy.
2016-04-26T17:29:33.084Z [ 6164] INFO WindowsProxyDiscoveryWrapper::GetDefaultProxyConfiguration WinHttp default proxy not set
2016-04-26T17:29:33.084Z [ 6164] WARN WindowsProxyDiscoveryWrapper::GetProxyForUrl Failed to get the automatic proxy configuration. The error code was 12180.
2016-04-26T17:29:33.506Z [ 6164] INFO SUL-Log [I40394] Successfully downloaded customer file
2016-04-26T17:29:33.506Z [ 6164] ERROR SUL-Log [E32429] XML_ERROR_INVALID_TOKEN
2016-04-26T17:29:33.506Z [ 6164] INFO SUL-Log [I86539] No proxy was used.
2016-04-26T17:29:33.506Z [ 6164] ERROR SUL-Log [E41450] XML_ERROR_INVALID_TOKEN
2016-04-26T17:29:33.506Z [ 6164] ERROR SUL-Log [E43077] Failed to read remote metadata in synchronise
2016-04-26T17:29:33.522Z [ 6164] ERROR SDDSDownloader::ReportSyncFailure Failed to synchronise
2016-04-26T17:29:33.522Z [ 6164] INFO UpdateLogic::SyncAndInstall Saving state.
2016-04-26T17:29:33.522Z [ 6164] INFO StatePersister::Save Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
2016-04-26T17:29:33.522Z [ 6164] INFO UpdateLogic::SyncAndInstall Skipping product install as Sync failed.
2016-04-26T17:29:34.584Z [ 6164] INFO IPCSender::Write IPCSender::Write: Writing message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>WindowsCloudNextGen</Insert><Insert>dci.sophosupd.com/.../ErrorMessage><ReadableMessage>ERROR: Download of WindowsCloudNextGen failed from server dci.sophosupd.com/.../Config>
2016-04-26T17:29:34.584Z [ 6164] INFO WinMain SophosUpdate has completed with the result 0.
2016-04-26T17:29:34.584Z [ 6240] INFO IPCSender::ProcessSend IPCSender::ProcessSend: Send message: <?xml version="1.0" encoding="utf-8" ?><Config type="RMSEndUpdate"><ErrorMessage><ID>SDDSDownloadFailed</ID><StringID>107</StringID><Sender>SophosUpdate</Sender><Insert>WindowsCloudNextGen</Insert><Insert>dci.sophosupd.com/.../ErrorMessage><ReadableMessage>ERROR: Download of WindowsCloudNextGen failed from server dci.sophosupd.com/.../Config>
2016-04-26T17:29:34.584Z [ 6240] INFO IPCSender::ProcessSend IPCSender::ProcessSend: No messages in queue, starting to wait
2016-04-26T17:29:35.600Z [ 6240] INFO IPCSender::ProcessSend IPCSender::ProcessSend exiting
2016-04-26T17:29:35.600Z [ 6240] INFO `anonymous-namespace'::SenderThreadFn::operator() Sender thread finished.
2016-04-26T17:29:35.600Z [ 6164] INFO StatePersister::Save Overwriting state file C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml

Those are all "pass" in the Web Filtering log, but statuscode="404" means the requested page wasn't available from d1.sophosupd.com.  I suspect this client needs to have the Sophos Endpoint client uninstalled and re-installed.  The other possibility is that there's a glitch on the Sophos server.

Cheers - Bob

Thank you BAlfson for your time

It is a brand new installation, the installation process is not complete, it gets as far as it can, then says it will complete once a internet connection is re-established.

Adding dci.sophosupd.com to the skip list fixes this.

So some how the AV knows its behind a proxy and stopping the installation. I guess I could just add the skip, but would like understand why its breaking.

Hi,

Please refer the link below, I hope this helps.

https://www.sophos.com/en-us/support/knowledgebase/118209.aspx

Thanks

Sachin Gurung

Thank you Sachin again for your time

Hmm the issue i'm experiencing does not seem to be covered on that KB.

The AV is able to install correctly when I add the dci IP to the transparency skip list for destinations, but not when added to the exception list.

It looks like the act of running through the proxy itself is causing the installation to abort. The AV realizes a proxy is in use somehow, checks to see if one has been configured, then aborts. 

016-04-26T17:29:33.084Z [ 6164] INFO SDDSDownloader::SyncInternal No manually configured proxy.
2016-04-26T17:29:33.084Z [ 6164] INFO WindowsProxyDiscoveryWrapper::GetDefaultProxyConfiguration WinHttp default proxy not set
2016-04-26T17:29:33.084Z [ 6164] WARN WindowsProxyDiscoveryWrapper::GetProxyForUrl Failed to get the automatic proxy configuration. The error code was 12180.

I give up, it will work by just skipping that one IP, other communication from the AV does not seem to mind running through the proxy.

Thanks again for all the help everyone.

Once again this is the Cloud AV product, not the UTM based one + Transparent mode