Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 17197 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

swi_service.exe http traffic

jameshink

Hello,

I have just rolled out Sophos across our server farm and have notice that what I believe is the Live Protection service(swi_service.exe) is contacting external ip addresses on port 80 at various times during the day. 

I would like to configure this to use a proxy server if possible but have not been able to work out how?

I have read that there is the utility SavProxy.exe to configure the proxy which I have ran and they appear to be correct. There are no proxy bypasses set and the proxy server name is correctly set to my proxy server. However http traffic is still sent out.

Any help would be very much appreciated!

Thanks

James 

Running: Sophos Endpoint Security and Control V10.3

:51604


This thread was automatically locked due to age.
  • 0

    Hello James,

    AFAIK (haven't found this documented but tests suggest it) the Web Protection swi_service.exe uses the Internet Options proxy settings (and these are what is displayed by SAVProxy.exe). Looks like the service uses the Windows API as changes to the Internet Options seems to take effect immediately.


    Christian

    :51624
  • 0

    Thanks Christian for your response. That's very strange then as the proxy is set in IE and in the SavProxy

    The IP address stated below pointed to the proxy server:

    C:\Program Files\Sophos\Sophos Anti-Virus>SavProxy.exe
    Name : 1X.XX.XX.XX:80
    Bypass:
    Writing SAV proxy settings...
    Settings written.

    The IP Addresses I am getting logged are:

    54.228.9.222

    54.220.18.215

    54.74.27.64

    All seem to be owned by amazonws.com??

    Microsoft Network Monitor definitely captures the swi_service.exe process initiating the connection?

    :51632
  • 0
    Hello James,

    Amazon is hosting (part of) the Cloud services, so the addresses could be correct. You could check whether http.00.s.sophosxl.net or .com resolves to them.
    Strange, but anyway swi_service only acts if some other process makes an HTTP request. Which one would this be on the servers?

    Christian
    :51638
  • 0

    Thanks again for replying Christian,

    I can understand that the swi_service would only be acting on a request made by another application but I woul have though it still would have follwed the proxy settings configured? How can we implement a strict firewall policy rule and enable all of the protection features of Sophos when Sophos contacts its cloud servers directly? 

    I think I may have to disable the Sophos Live Protection feature in the Sophos policy for the servers. :smileysad:

    Thanks anyway

    James

    :51678
  • 0

    Hello James,

    Sophos contacts its cloud servers directly

    this is not the correct behaviour - it should, in the sense of when working correctly as designed and implemented, use the Internet Options proxy settings. I'm not aware that some application would change the settings for SYSTEM accounts on the fly but who knows - but then you would observe direct connections without Web Protection as well. I'd suggest that you contact Support directly before turning off Web Protection (as said, Live Protection uses HTTP only for submitting samples collected by the AV scanner).

    Christian

    :51680
  • 0

    Ok will do. Thanks again

    James

    :51700