Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 11 subscribers
  • Views 24179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos blocked policy violation reporting false data

sabdul

We added about 15 machines to Sophos Central. So far it’s been working great except for Policy violations. We have over 500 policy violations blocked.  Basically any website we go to, Sophos reports that it blocked something. It’s reporting mostly false positives.

 

Here are couple of examples. No one visited these site below. This is part of ads on different websites.

 

Site: adsrvr.org 

Categories: Spyware

Visits: 115

 

Same thing here

 

Site: rundsp.com             

Categories: Spyware

Visits: 28

 

Is there anyway to adjust any of this so it doesn't report this useless info?



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Could you help me with few more details regarding the reported website ?

    * Are they seen on all the Endpoints or any specific Endpoint ?

    * Are you still seeing the alerts for the specific sites ?

    On verifying the sites, i see that they are not categorized as Spyware and i am able to access them.

     

    Site: adsrvr.org

    Categories: Computing & internet.

    Site: rundsp.com

    Categories: Advertisements & pop-ups.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Gowtham Mani

    We see this at MOST of the clients we manage.

    We call them passive blocks.
    The user opens MSN, Bing, Yahoo, Etc.  Windows with links to "Naughty celebrity story" and other items not allowed by policy all appear on the screen.
    Sophos blocks access, the user isn't trying to go to the links, they are just checking out the news or whatever.

    If you check the event logs they are filled with the passive blocks. We usually log attempted access to blocked categories, so we know if they try to access the sites.
    But if you run the events report it doesn't distinguish that these are passive blocks.
    I spend a lot of time explaining this to the supervisors when they are freaked out that "Bob" or "Marsha" tried to go to 30 or 40 sexually explicit web pages.

    AND - If the user just opens MSN, etc. and leaves it open, Sophos just keeps logging the "attempts".
    We suggest that people not make their homepage something with all the skeevy links, but they are resistant.

    This makes our job harder because we spend a lot of time waiting for the Central console to process the "Web Control" filter request.
    And it has to be adding to some kind of load on internet saturation, system process usage, etc., if Sophos is reporting 23156411 blocked items every day.

     

  • 0 in reply to Laureen Hart

    Edit here - You can filter them, but it is still wasting resources logging them and our time to perform the filtering.

     

  • 0 in reply to Laureen Hart

    (Posted before I was finished)

    You can filter out the sites that have active infections vs. the policy blocks.

    But within the policy block it still does not differentiate between passive and active blocks.

Reply Children
No Data
Unfiltered HTML