Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 18030 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Security and Control - is Web protection safe to disable?

msavignac

Hi,

I found this in the documentation:

Sophos Web Protection provides enhanced protection against web threats by preventing access to locations that are known to host malware. It blocks endpoints access to such sites by performing a real-time lookup against Sophos's online database of malicious websites.

We had some problems with Sophos Web Protection (swi_ifslsp.dll) that made Google Chrome browser crash when we worked with our in-house MAM (Media Asset Management) web application.

I'd like to know if it's safe to disable this feature on our endpoints from a security perspective.

Note that this feature works well with Firefox, but for a reason we're still trying to figure, it's not the case with Chrome.

:55853


This thread was automatically locked due to age.
Parents
  • 0

    Hi Christian,

    As you can see with the following image, the domain suffixes are already in the Authorization tab of the AV policy:

    Chrome crashes using our internal MAM web application with the exclusion well configured and Web Protection configured this way:

    - Block access to malicious websites: Off

    - Download scanning: As on-access.

    - On access scanning = on Read and Rename + Adware/PUA & Suspicious files | Allow me to control exactly what is scanned.

    If I disable Web protection (put both settings to off) completely, everything works. As you can see with this event viewer entry, it's the swi_ifslsp.dll that is causing Chrome to crash. This dll is related to Sophos Web Protection.

    Log Name:      Application
Source:        Application Error
Date:          19/02/2015 12:52:34 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME
Description:
Faulting application name: chrome.exe, version: 40.0.2214.111, time stamp: 0x54d1cb7f
Faulting module name: swi_ifslsp.dll_unloaded, version: 0.0.0.0, time stamp: 0x53d6615f
Exception code: 0xc0000005
Fault offset: 0x72fcef39
Faulting process id: 0x12d4
Faulting application start time: 0x01d04c6cc073dafd
Faulting application path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Faulting module path: swi_ifslsp.dll
Report Id: 149c3a0d-b860-11e4-9a0d-a0481c8f3558
Event Xml:
<Event xmlns="schemas.microsoft.com/.../event&quot;>
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-19T17:52:34.000000000Z" />
    <EventRecordID>10358</EventRecordID>
    <Channel>Application</Channel>
    <Computer>COMPUTERNAME</Computer>
    <Security />
  </System>
  <EventData>
    <Data>chrome.exe</Data>
    <Data>40.0.2214.111</Data>
    <Data>54d1cb7f</Data>
    <Data>swi_ifslsp.dll_unloaded</Data>
    <Data>0.0.0.0</Data>
    <Data>53d6615f</Data>
    <Data>c0000005</Data>
    <Data>72fcef39</Data>
    <Data>12d4</Data>
    <Data>01d04c6cc073dafd</Data>
    <Data>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
    <Data>swi_ifslsp.dll</Data>
    <Data>149c3a0d-b860-11e4-9a0d-a0481c8f3558</Data>
  </EventData>
</Event>
    :55878
Reply
  • 0

    Hi Christian,

    As you can see with the following image, the domain suffixes are already in the Authorization tab of the AV policy:

    Chrome crashes using our internal MAM web application with the exclusion well configured and Web Protection configured this way:

    - Block access to malicious websites: Off

    - Download scanning: As on-access.

    - On access scanning = on Read and Rename + Adware/PUA & Suspicious files | Allow me to control exactly what is scanned.

    If I disable Web protection (put both settings to off) completely, everything works. As you can see with this event viewer entry, it's the swi_ifslsp.dll that is causing Chrome to crash. This dll is related to Sophos Web Protection.

    Log Name:      Application
Source:        Application Error
Date:          19/02/2015 12:52:34 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME
Description:
Faulting application name: chrome.exe, version: 40.0.2214.111, time stamp: 0x54d1cb7f
Faulting module name: swi_ifslsp.dll_unloaded, version: 0.0.0.0, time stamp: 0x53d6615f
Exception code: 0xc0000005
Fault offset: 0x72fcef39
Faulting process id: 0x12d4
Faulting application start time: 0x01d04c6cc073dafd
Faulting application path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Faulting module path: swi_ifslsp.dll
Report Id: 149c3a0d-b860-11e4-9a0d-a0481c8f3558
Event Xml:
<Event xmlns="schemas.microsoft.com/.../event&quot;>
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-02-19T17:52:34.000000000Z" />
    <EventRecordID>10358</EventRecordID>
    <Channel>Application</Channel>
    <Computer>COMPUTERNAME</Computer>
    <Security />
  </System>
  <EventData>
    <Data>chrome.exe</Data>
    <Data>40.0.2214.111</Data>
    <Data>54d1cb7f</Data>
    <Data>swi_ifslsp.dll_unloaded</Data>
    <Data>0.0.0.0</Data>
    <Data>53d6615f</Data>
    <Data>c0000005</Data>
    <Data>72fcef39</Data>
    <Data>12d4</Data>
    <Data>01d04c6cc073dafd</Data>
    <Data>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
    <Data>swi_ifslsp.dll</Data>
    <Data>149c3a0d-b860-11e4-9a0d-a0481c8f3558</Data>
  </EventData>
</Event>
    :55878
Children
No Data