What is causing play.google.com to trigger a policy violation?

Hi, Yes. I am also facing something similar with the Play Store whenever trying to acccess GPA Calculator online. Can anyone please help us down here?

You can create a white list for any address,  see link below, however this may also be another aspect of the web filtering policy, giving it is flagging downloads, it could be a file extension as well, first I would whitelist the address then I would suggest creating a test policy, just add a new aspect every few minutes under the download file extension group and test again until you see the event appear in the logs to find your culprit. 

https://community.sophos.com/kb/en-us/121797#How%20to%20exempt%20a%20website

Hi there, I'm still not quite sure I can see a way to diagnose this. What do you mean by an 'aspect'?

I was thinking that I would need to check the logs on the endpoint to see what piece of software is requesting the URL, rather than do anything on the Central Console.

Hi Greg Mills

It looks like the user(s) are accessing a website (or so) that has a banner/object/ad that wants to access play.google.com which is part of a blocked category. You can check the websites previously visited by one of the users who has this warning, to see if that helps. Once you have the website, you can possibly use Chrome F12 browser tools to see what other objects/sites are being loaded.

Hi Dianne, thanks for your suggestion. I got the user to monitor her web usage and check her browser history, but she cannot see a pattern. Here's what she reported back.

"I can't see anything - all the usual sites that I regularly use. I have also been monitoring the Sophos alerts over the last 40 minutes or so to see if I can spot it happening as I do something or open a website, but it has been constantly showing play.google events over the last hour, and all I have open is:

Gmail
Calendar
Google Form
Synergist

And these are tabs that I have open as standard all day. I had a click around and opened various sites but couldn't see a pattern to the event alerts - it's been showing events even when I've done nothing but sit and watch for events!!"

Could it be Chrome itself that is triggering the block? I have other users to whom this is also happening, but it isn't happening to all Windows users. These are the top violators for the last 30 days.

Hi Greg Mills 

If you are seeing activities from the user's machine come up as she is in any of those pages - see if using the F12 Dev tools help pinpoint something. You may update Chrome if it has not been updated yet (depending on any updating policy your enterprise has for browsers). If not a browser page object, maybe they have a browser plugin/extension installed that is causing it? Are there any unusual apps installed and running on these machines?

So we're pretty sure that Chrome updates are causing the messages, but disabling this is proving to be difficult. We patch Chrome using a separate system called Automox, so we can safely disable Chrome's own automatic updates.

We've tried the renaming of the updates repository trick, and disabled the two services but this hasn't stopped Chrome from phoning home. Does anyone have any other suggestions?

Thanks.

Hi Greg Mills 

Is the alert seen on all the client computers or for any set of users?

Also, could you help me with the exact URLs that the user is accessing or the steps to reproduce this issue at my end?

Hi Gowtham, no alerts are displayed to the user, but they can see the blocks in their Sophos console history.

We think that Google Omaha is triggering these blocks, so just launching the browser probably instigates the call. This user has their corporate Gmail account pinned so it would be calling a Google URL the moment she launches the browser as well. So that would be https://mail.google.com.

What I need to work out is how to completely disable Chrome updates, which is turning out to be a rather difficult task!

Thanks

Hello Greg Mills 

See if this article helps too if you can't disable Chrome updates.