exception to web control ?

Hello abacus,

is it Web Control which is apparently blocking the streams or Web Protection (Intelligence)? Web intelligence service blocks this is a rather technical description -  how did you find out or is it just a guess?

As you mention Web Control I assume this is a managed environment and you should discuss this with your site's Sophos administrator.

Christian

Hello Christian,

concerned are the laptops of a project for children, used in variable networks. Most media streams of web pages can be received only,

1. if "Sophos Web Intelligence Service" is turned off

2. or if each streaming address was individually added to the list of exceptions in Sophos "Endpoint Security and Control" - Configure - Antivirus - Authorize - Web sites (wording translated from my German edition).

Both solutions were systematically tested with 10 radio stations (in FF18, IE8, Chrome24, Opera12).

Finding out each single streaming address is by far too inconvenient, especially since most streaming portals use to disguise them. Instead, it is required to make a generic exception for all streaming addresses.

Where in the local Sophos client can 1 exception for all streaming media be made?

Hello abacus,

Web Protection blocks (probably) malicious sites and content, not certain services or protocols. What's the reason it gives for blocking - or does it just not work? If so, it could be an issue with the LSP.

Christian

Sure, I do know what purpose web protection is meant for. Unfortunately, with SWIS running, connecting to most streaming stations fails. The web portal returns "connection error".

But with SWIS stopped, and page reloaded, connections of all of them do succeed 10 sec later.

What malicious threats may be identified in targetted addresses like the icecast stream mentioned above?

Hello abacus,

doesn't look like a correct blocking - you should some recognizable message from Sophos (and an according log entry and SEC event). If you enter the URL directly - does this fail without a useful alert/message as well, or do you get an informational page? Could be a lot of things like a JavaScript partially failing due due an interaction with the LSP/SWIS. 

Again, you should contact Support - they can take a closer look and/or try to reproduce this behaviour and pass it on for investigation.

Christian

If I enter the stream address directly into the address bar of the browser (to circumvent the redirection by the radio portal), a new tab with a player plugin will open ... but never gets the stream. No error notification.

This is tested to happen on machines with entirely different histories, 4 of them XP-SP3, one of them Windows7-SP1. However, all of them are occasionally in the same network - are they compromised? Unexplained: It does not happen on 2 machines with Vista-SP2.

As a workaround, I will give all of them the entries of authorized web sites. Where is the list saved, so that I might distribute one file?  EDIT: found it in machine.xml.

Thanks for dealing with my case!.

Hello abacus,

indeed it looks like an issue in conjunction with Web Protection - in particular with download scanning. If it is on (explicitly or through on-access) the streaming is stuck. Should be easy to recreate by Support/Development. Thus please contact them (even as you know of a workaround) - it don't think this works as it should and needs to be fixed.

You can't save the settings on one machine and transfer them to the others. Normally you'd apply an appropriate AV policy from the console. If the machines "call in" only occasionally but update from your site you can configure the CID with the SAV policy. Nevertheless this is just a workaround as you'd have to name all the exceptions (or turn off download scanning - which I wouldn't recommend). OTOH download scanning is available for Windows only, so turning it off would not leave the machines completely unprotected - but in the long run it is an unnecessary additional risk. So, please contact Support.

Christian