Web browsing random delays; Chrome, IE, Firefox

Hi,

Resetting Winsock is one way to remove the Sophos LSP and any other LSPs that are installed. I wouldn't recommend that unless Winsock has been corrupted.  

Removing the LSP will render the following features useless as the LSP provides the hook used to access the traffic:

- Web Control

- Download scanning

- Ability to block malicious websites

These are the current 3 features that rely on an LSP on XP/2003/Vista/Windows7/2008.  Windows 8/2012 use a WFP callout driver, more info here: http://msdn.microsoft.com/en-gb/library/windows/hardware/ff571068%28v=vs.85%29.aspx

If you disable via, policy WebC, Download Scanning and malicious websites. Then the next time the computer restarts the LSP will be unloaded.  In effect, the next time the 'Sophos Web Intelligence Update' service starts this happens.  It is done in this way to minimise applications having a problem if its removed at startup.

I doubt "dowload" scanning feature is the cause for the delays you mention, that scanning is performed at the client.

Web Control and blocking of malicious websites both require a lookup to the Sophos SXL servers to make a classification.  You could disable this independantly to see which one is the problem, if you don't have Web Control enabled though it must be  block malicious websites.

This lookup is currently a HTTP request.  So it would be interesting to see the latency this lookup is adding as it should be minimal depending on where the computer is.  Is it in the US?

Out of interest, if you set:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Web Intelligence\WebControlAvailable DWORD to 0, this will cause the web intelligence service to perform DNS lookups rather than HTTP, that might be an interesting test.

Also, what version of SAV are you using as later version use parallel HTTP lookups rather than sequential ones?

Regards,

Jak

Thanks Jak,

Yes we are in the US.  We use Recommended so current is 10.3.11 VE3.53.0.

In our policies we disable all Web Protection and Web Control is pointed to our Appliance.

Jason

Some of our clients are missing the Sophos Web Intelligence Service is this normal?  They have the same Web protection & control policies as other computers...  What would cause this server to be removed?

Jason

Hi Jason,

Missing services sounds like a concern and it sounds like an upgrade failed.

TBH, as a fix to that issue and also as a test, I would

1. Create a new subscription slecting "Preview".

2. Let SUM create a CID.

3. Create a new Test group in SEC

4. Move a couple of computers which have had the problem and or missing the service to the test group.  I hope you're not using ADSync.

5.Through policy, by creating a new updating policy and linking it to the test group the computers should update.

I would expect, the computers to gain back the service and then also have the parallel lookups.

Regards,

Jak

Jak,

I have found that if I reinstall over an existing install is working as well.  I am quite concerned this happened in the first place but your test would be very interesting.  Yes we heavy rely on ADSync but I break them when we migrate (10.2 > 10.3) versions so we can staggar the bandwidth.  

Do you use Preview in your Production environment regularaly? 

Thanks,

Jason

Having very similar issues here.  Running endpoint Recommended 10.3.11 and have our remote workforce utilizing Web Control on endpoint configured to talk to our WCF management appliance.

What clued me in was that I didnt have site hits any logged from a remote endpoint.  Then checking the Connected endpoints listing on the appliance and noting that we had a ton of disconnected endpoints from 11/11.  I have access to a couple of them and know they are active and online.  Reviewing them with support highlighted the lack of an installed Web Intelligence Service

I have been back and forth with Support over the last week in regards to the issue and have been told that there was a known issue bug in 10.3.11 when doing an automatic upgrade.  The next Recommended release is supposed to contain a fix (a few weeks out).  Support's resolution is to downgrade to 10.3.7 until the next version is released to Recommended.

The Preview version may have the fix but I don't normally roll that to Production.  The group that it was escalated to didn't have any further info for Support on what variables caused some workstations to upgrade successfully, and others not to :(

HTH

It is only affecting about 300 of our clients.  Out of 13,500.  We are helping users uninstall and then reinstall.

Good to hear there is a known issue.  I haven't heard back from support since Friday.

Jason

Support got back to me this morning with a suggested fix as opposed to downgrading.

I have tested this on a few of the workstations that weren't checking in since 11/11 and it worked beautifully. The Web Intelligence Service was actually there, but not registered as a service. Running the command below registered and started the service. A few seconds later, and the workstation was again listed as an active and connected endpoint in the WCF appliance.

 "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" /registerService

The endpoint Web Control components located in C:\ProgramData\Sophos\Web Control\Activity and C:\ProgramData\Sophos\Web Control\Policy have current dates and times on files within so it appears that this has corrected the issue.

Definitely easier to have this packaged up into a script to be deployed, run as part of a login script, whatever makes sense in your enviornment.

Are you seeing this issue on Windows 8.1 devices as well?  It seems it might be more wide spread for us.  

Jason