Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 11 subscribers
  • Views 24179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos blocked policy violation reporting false data

sabdul

We added about 15 machines to Sophos Central. So far it’s been working great except for Policy violations. We have over 500 policy violations blocked.  Basically any website we go to, Sophos reports that it blocked something. It’s reporting mostly false positives.

 

Here are couple of examples. No one visited these site below. This is part of ads on different websites.

 

Site: adsrvr.org 

Categories: Spyware

Visits: 115

 

Same thing here

 

Site: rundsp.com             

Categories: Spyware

Visits: 28

 

Is there anyway to adjust any of this so it doesn't report this useless info?



This thread was automatically locked due to age.
  • 0

    At my job we've had this issue for two weeks! So far we are at 25,000 policy violations. There's no way to disable the report and we also had no one visit the sites. Sophos did maintenance about two weeks ago and maybe their update started keeping records of blocked sites with spyware. They tried to blame the end-user and when I told them that they never visited the sites they had no answer. I don't think they know why its being reported either.

  • 0

    Hello sabdul and Mario Urrea,

    mostly false positives
    how do you know? Did you check what's on these sites and found them clean or do you mean that your users haven't visited these sites in the sense that they didn't enter these URLs or click on a link that said it would take them there?
    No one visited [...] is part of ads
    the ads you see on a page are loaded from these sites/networks, one doesn't have to click on an ad to visit these sites. Naturally such a connection attempt might get blocked - and thus alerted - by Web Control. Of course you could call this useless info as a) the site has been blocked anyway and b) the ads can't be avoided when your users visit this or that website. 

    I don't know the reason for the recent surge [I'm not Sophos and not a Central user]. It could be a valid and correct classification, it could be a misclassification, it could be a change in reporting.

    Christian     

  • 0 in reply to QC

    QC said:

    Hello sabdul and Mario Urrea,

    mostly false positives
    how do you know? Did you check what's on these sites and found them clean or do you mean that your users haven't visited these sites in the sense that they didn't enter these URLs or click on a link that said it would take them there?
    No one visited [...] is part of ads
    the ads you see on a page are loaded from these sites/networks, one doesn't have to click on an ad to visit these sites. Naturally such a connection attempt might get blocked - and thus alerted - by Web Control. Of course you could call this useless info as a) the site has been blocked anyway and b) the ads can't be avoided when your users visit this or that website. 

    I don't know the reason for the recent surge [I'm not Sophos and not a Central user]. It could be a valid and correct classification, it could be a misclassification, it could be a change in reporting.

    Christian     

     

    Hi Christian

    I did check a few websites and found they were clean. Majority of these alerts are from ads. This is not the information you and I would need or look for. If there is an actual positive report, it will be missed with all these alerts. Just with 15 machines we have had over 500 alerts, I can't imagine putting a 1000 machines. I guess I'll open a ticket and report this issue. 

  • 0 in reply to sabdul

    Hello sabdul,

    these alerts are from ads
    nevertheless the information is IMO important - legitimate web pages (try to) load content from potentially compromised sites. It's like saying you're only interested if your friends smash your china at your party but you don't care when the people they brought with them do it.

    I'll open a ticket and report this issue
    is nevertheless a good idea    . And admittedly it's distracting and the flood is annoying - but that's the problem with third-party content (not just ads, BTW).

    Christian

  • 0 in reply to QC

    Hello QC,

     

    What I meant is that some of the end-users were never surfing the web when the sites with spyware were "blocked". My computer shows up in the list of Policy Violators, and when the sites with spyware were blocked I was not surfing the web.  I was primarily checking backups on working on exchange issues. I believe most of these alerts are false positives and I sent Sophos tech support SDU logs from the computers of the top policy violators, they couldn't determine the root cause for these alerts.

  • 0 in reply to Mario Urrea

    Hello Mario Urrea,

    I was not surfing the web [...] they couldn't determine the root cause
    I see. I can't imagine though how     Web Control could "invent" traffic that doesn't exist. The detection should be recorded in your computer's SAV.txt - if they aren't there these alerts did perhaps not come from your computer though. As I'm not a Central users I don't know what details are available in the alerts, in the on-premise version the logged on user is also reported and in case two or more computers appear as the same at least this information should give away this fact.

    Christian

  • 0 in reply to QC

    I don't know what's going on. Someone else posted on on these forums that they are seeing the same thing. All the computers in our infrastructure are now showing the policy violation alerts. I hope they are false positives.

  • 0 in reply to QC

    Chris,

    Is there anyone else on the forum from Sophos who uses Sophos Central? This my biggest issue with Sophos support. I opened a ticket with support regarding this issue and this is what I got in return. Some of the people I get in touch with have no clue about this product at all. How do I pass this information to the developers because this violation information is not valid. 

    Hello,

    This is regarding your reference case - #

    Thank you for the information.

    Apologies, but nothing can be done in the policy violations.

    The alerts of Policy Violations get filtered out in almost every 90 days from back-end.

    Please let me know if you have any query.

    Thanks & Regards,

    Sophos Technical Support

  • 0 in reply to sabdul

    Hello sabdul,

    Chris
    if you don't mind - Christian. I was never fond of this shortened version.

    I'm not from Sophos apart from the fact that I'm using the on-premise SESC. Sometimes (often?) I horn in on unanswered topics just to get the ball rolling.

    pass this information to the developers
    guess there is no direct channel to Dev. Higher levels aren't completely walled off though. If you think that 1st level doesn't handle your requests appropriately     is in the position to take a look.

    Christian

  • 0 in reply to Mario Urrea

    Hello Mario Urrea,

    the Spyware classification looks similar to this thread, but you say that your users didn't even use a browser.
    If you have a case open and think it isn't handled appropriately please see my reply to . These perhaps erroneous policy violations don't seem to be a general issue like the Central Admin US-West issue.

    Christian

Unfiltered HTML