sophostest.com - unable to test due to Sophos Scan exclusion recommendations

Try http://sophostest.com

Why? there are http and https rules towards to the Sophos / Central servers.

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html

Ports

You must add the following ports.

• 80 (HTTP)
• 443 (HTTPS)

and really, this sucks: *.cloudfront.net, amazonaws.com

He wants to use the Sophos Test website to test web filtering or AV, but can't because the recommended exclusions by Sophos also excludes sophostest.com

thanks :-)

The easiest fix is to create another Rule on top of the recommended exclusions with a FQDN of sophostest.com with all filtering and AV enabled; Well, It should work.

Edit: Why is there a wildcard for cloudfront, lmao.

I thought of that, but I think it will have bad impact on Central / Intercept-X communication.

In the logs I can see that a lot of computers are communicating with the IPs belonging to sophostest.com

Then open a support case.

But I don't think anything will change.

Where do you use sophostest.com as a recommend exclusion? Because basically you should not exclude this. And my tests always block this website. 

sophostest.com is not in the exclusion list.

But in some FQDN of the recommended exclusion is also including the IPv4 of sophostest.com

LuCar Toni said:

Where do you use sophostest.com as a recommend exclusion?

nowhere. Browsing to this side goes into the firewall rule belonging to the Sophos Central Exceptions.

btw: seems to run on some AWS site:

sophostest.com is external hosted to do not have any relation to Sophos. If you know a recommended read or anything, which recommend to exlcude this, then feel free to report this to get this removed. 

Then again: Why do you have a firewall rule including sophostest.com? 

I'm not including this site. Prism catched my point.

This rule matches only because the same IPv4 is used by sophostest.com and some other sophos stuff.

one example:

"

during my tests the site had the IP

I'm not including this site. Prism catched my point.

This rule matches only because the same IPv4 is used by sophostest.com and some other sophos stuff.

one example:

"

during my tests the site had the IP

Do you have a output of the logviewer using this 13. IP? Because sophostest.com should not use a sophos known address. 

Firewall
    
2021-08-06 14:33:50
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="181" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50446" dst_port="443" packets_sent="75" packets_received="192" bytes_sent="5013" bytes_received="247475" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="782242816" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Firewall
    
2021-08-06 14:30:59
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50443" dst_port="443" packets_sent="64" packets_received="184" bytes_sent="4247" bytes_received="246441" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1143560768" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Firewall
    
2021-08-06 14:30:58
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50440" dst_port="443" packets_sent="18" packets_received="18" bytes_sent="2283" bytes_received="7763" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1165648512" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Firewall
    
2021-08-06 14:30:58
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50437" dst_port="443" packets_sent="7" packets_received="7" bytes_sent="809" bytes_received="5819" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="3963242688" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Firewall
    
2021-08-06 14:30:53
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="10" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="myname@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.222" in_display_interface="lag0.222" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="00:50:56:85:00:2E" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="50432" dst_port="443" packets_sent="4" packets_received="2" bytes_sent="172" bytes_received="92" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="2024355136" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Firewall
    
2021-08-06 14:10:42
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="17" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="othername@ourdomain.name" user_group="ccc.ccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="ccc.ccccc" in_display_interface="yyy-yyy" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="A0:66:10:09:A0:08" dst_mac="00:98:7A:5A:5D:86" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="51019" dst_port="443" packets_sent="20" packets_received="65" bytes_sent="3117" bytes_received="70470" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1150146496" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Firewall
    
2021-08-06 13:48:43
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="252" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="othername@ourdomain.name" user_group="ccc-ccc-cccc" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.7" in_display_interface="lag0.7" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="A0:66:10:05:D0:FB" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="64306" dst_port="443" packets_sent="40" packets_received="230" bytes_sent="3034" bytes_received="309336" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1167646720" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
Firewall
    
2021-08-06 13:21:15
    
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="98" nat_rule_id="6" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.2" in_display_interface="ccc-ccc" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="54:BF:64:35:9E:2C" dst_mac="C8:4F:86:FC:00:0D" src_ip="xxx.xxx.xxx.yyy" src_country="R1" dst_ip="13.225.87.17" dst_country="USA" protocol="TCP" src_port="49758" dst_port="443" packets_sent="23" packets_received="19" bytes_sent="10032" bytes_received="7287" src_trans_ip="xxx.xxx.xxx.ddd" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop"

rule 98: Sophos Central

*.cloudfront.net

see below:*.sophos.com

• *.sophosupd.com
• *.sophosupd.net
• *.sophosxl.net
• ocsp.globalsign.com
• ocsp2.globalsign.com
• crl.globalsign.com
• crl.globalsign.net
• ocsp.digicert.com
• crl3.digicert.com
• crl4.digicert.com
• tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.
• tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
• tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
• tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
• kinesis.us-west-2.amazonaws.com
• prod.endpointintel.darkbytes.io
• mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
• mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
• mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
• mcs2-cloudstation-us-west-2.prod

Still not clear to me. 

We have four IPs behind sophostest.com.

Domain Name # sophostest.com
Resolved Address 1# 65.9.73.24
Resolved Address 2# 65.9.73.79
Resolved Address 3# 65.9.73.56
Resolved Address 4# 65.9.73.114

You think, this IP is behind one of those DNS Records? 

may I send you an XML of that rule and you test it again?

You can share it here. I am not seeing any relationship of the sophostest.com to those hosts, you mentioned here or are reflected in the KB. 

that's a lot of work to get the xml version I see now, need all Objects and also NAT rule. will not get it done today.

But why don#t you see the relation?

Yes. And what is the relationship to sophostest.com which is not related to *.sophos.com. There is a wildcard and a dot, separating everything infront of .sophos.com. sophostest.com is a own domain with other IP addresses. You showing a 13. IP, how does this IP correlate to those IPs related to sophostest.com?