Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 18023 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Security and Control - is Web protection safe to disable?

msavignac

Hi,

I found this in the documentation:

Sophos Web Protection provides enhanced protection against web threats by preventing access to locations that are known to host malware. It blocks endpoints access to such sites by performing a real-time lookup against Sophos's online database of malicious websites.

We had some problems with Sophos Web Protection (swi_ifslsp.dll) that made Google Chrome browser crash when we worked with our in-house MAM (Media Asset Management) web application.

I'd like to know if it's safe to disable this feature on our endpoints from a security perspective.

Note that this feature works well with Firefox, but for a reason we're still trying to figure, it's not the case with Chrome.

:55853


This thread was automatically locked due to age.
  • 0

    Hello msavignac,

    [is it] safe to disable this feature

    it wouldn't be here if it had no effect. The rationale is that the risk of encountering an unknown threat (i.e. one that isn't detected by the scanner) is significantly higher for "bad" sites. As far as known threats are concerned there is no additional risk and you are safe, naturally your exposure depends on the sites your users (have to) visit. Most of Web Protection's work isn't visible (other than in the logs), an Ad on a reputable site could eventually redirect to a compromised server delivering content which tries to pull "something" from a malware hosting site which will get blocked (whether the potential content is actually malicious or not).

    Christian.  

    :55858
  • 0

    Hi QC, thank you for your reply.

    Do you know if it's possible to configure Web Protection or to put exclusions so that it will not scan connections/web content from our own domain (ex: company.com) and subdomains?

    It would be great to leave the feature enabled for internet connections to external websites, but not for our internal servers.

    :55872
  • 0
    Hello msavignac,

    you can authorize sites (Authorization ... in the AV policy). If the crash is caused by the actual content scanning this might help.

    Christian
    :55876
  • 0

    Hi Christian,

    As you can see with the following image, the domain suffixes are already in the Authorization tab of the AV policy:

    Chrome crashes using our internal MAM web application with the exclusion well configured and Web Protection configured this way:

    - Block access to malicious websites: Off

    - Download scanning: As on-access.

    - On access scanning = on Read and Rename + Adware/PUA & Suspicious files | Allow me to control exactly what is scanned.

    If I disable Web protection (put both settings to off) completely, everything works. As you can see with this event viewer entry, it's the swi_ifslsp.dll that is causing Chrome to crash. This dll is related to Sophos Web Protection.

    Log Name:      Application
Source:        Application Error
Date:          19/02/2015 12:52:34 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME
Description:
Faulting application name: chrome.exe, version: 40.0.2214.111, time stamp: 0x54d1cb7f
Faulting module name: swi_ifslsp.dll_unloaded, version: 0.0.0.0, time stamp: 0x53d6615f
Exception code: 0xc0000005
Fault offset: 0x72fcef39
Faulting process id: 0x12d4
Faulting application start time: 0x01d04c6cc073dafd
Faulting application path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Faulting module path: swi_ifslsp.dll
Report Id: 149c3a0d-b860-11e4-9a0d-a0481c8f3558
Event Xml:
<Event xmlns="schemas.microsoft.com/.../event&quot;>
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-19T17:52:34.000000000Z" />
    <EventRecordID>10358</EventRecordID>
    <Channel>Application</Channel>
    <Computer>COMPUTERNAME</Computer>
    <Security />
  </System>
  <EventData>
    <Data>chrome.exe</Data>
    <Data>40.0.2214.111</Data>
    <Data>54d1cb7f</Data>
    <Data>swi_ifslsp.dll_unloaded</Data>
    <Data>0.0.0.0</Data>
    <Data>53d6615f</Data>
    <Data>c0000005</Data>
    <Data>72fcef39</Data>
    <Data>12d4</Data>
    <Data>01d04c6cc073dafd</Data>
    <Data>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
    <Data>swi_ifslsp.dll</Data>
    <Data>149c3a0d-b860-11e4-9a0d-a0481c8f3558</Data>
  </EventData>
</Event>
    :55878
  • 0

    Hello msavignac,

    did you also test with just Download scanning set to Off?

    You've probably read How do I authorize a website ... which suggests to add the IP in addition to the name but if none of the steps help you'd have to turn it off for the time being. Nevertheless you should contact Support.

    Christian

    :55915
  • 0

    Hi Christian,

    Thank you for your replies. If both Web Protection settings are Off (Block access to malicious websites AND Download scanning), we don't have any problem.

    I'll try by adding the IP addresses of our web application (in addition of the domain suffixes). I'll keep you informed.

    :55956