Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 2081 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Auto Update accesses many domains

Willum

Why does the Sophos Auto Update access so many domains outside of sophos.com?

I recently installed Little Snitch, which is a firewall that allows the blocking of individual outgoing connections.  I was surprised to find that Sophos Auto Update was accessing domains other than sophos.com....

:1011490


This thread was automatically locked due to age.
  • 0

    Hello Willum,

    like all "global presences" Sophos uses a content distribution network (CDN) provided by third party suppliers. The IPs used shouldn't be so many, but the resolved names reported by Little Snitch might not be correct in these cases (please see also SophosAutoUpdate connects to strange places).

    Christian

    :1011512
  • 0

    Christian, thanks for the reply. There's quite a few of them - take a look at http://snag.gy/6Mjk9.jpg.  I got fed-up after a while and just clicked to allow all.

    I don't really see why Snitch should be getting them wrong. It would be a little surprising -  that is its core business after all.

    I'll see if I can log the IPs next time and check with 'host'... (tried again and it just said it wanted to contact nasa.gov :-/)

    --

    Willum

    :1011516
  • 0

    Actually, I see you are correct - it is all from CDNs. That is disappointing, as it means that Snitch gives no protection from apps like Sophos that use a CDN. But as Sophos AV is a priviledged process, if it gets hijacked, I guess I'm done for anyway, whatever Snitch does ;-)

    :1011518
  • 0

    Hello Willum,

    can't access the picture on snag.gy. Anyway - the relation of DNS names and their related entries (like ALIASes), IPs these names  resolve to and the reverse names of the IPs is somewhat complex. Different names like www1.acme.com, dl-5.swfurnace.net and go2.rilla.org might each resolve to two addresses ("servers" but not necessarily a single machine but some nifty networking device) out of a pool of, say 4. Thus for example acme.com and rilla.org might have one shared address. Reverse DNS usually does not reveal this fact, in case of akamai the reverse lookup for 12.345.678.90 would.return something like a12-345-678-90.deploy.akamaitechnologies.com - not quite useful. To present the user a meaningful name it's not sufficient to take the IP from a connection attempt and do a reverse lookup. Haven't thought it through but I guess the only way to get this information is to intercept the forward queries, note the returned address(es) and use them to do the mapping. Obviously you have a problem if a subsequent query for a different name returns one of the "known" addresses. I'd exonerate LS and all the others - there's no way to present correct (and meaningful) information (would 12.345.678.90 has been found to belong to at least www1.acme.com and go2.rilla.org help?).            . 

    if [Sophos] gets hijacked, I guess I'm done for anyway

    Think you are correct :smileyhappy:

    Christian

    :1011526
  • 0

    Open Little Snitch, go to "Help" and search for "hostnames". You'll get to see an article called "Rule matching by hostname". There you have your answer how Little Snitch gets his hostnames in detail.

    :)

    :1011568