Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 6587 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG web filtering - low detection rate of malicious sites

AndersK

When comparing the XG appliance web filtering with Sophos Central Endpoint Protection, there is a huge difference in detection/blocking of malicious sites. Endpoint Protection is doing an excellent job but the XG is a disaster?, blocking maybe 15-20% of what the Endpoint Protection does. I’ve been trying out malicious ULRs for some time now and even when Virustotal shows Sophos has detection the XG probably won’t block the site anyway. It’s obvious that XG does not share the same web filtering as other Sophos products.

Does anyone know if there’s a plan to move the XG platform to better intelligence data or is this what to expect?



This thread was automatically locked due to age.
  • 0

    Hi AndersKindberg,

    Can you show us pictures of the configured Web Filter policy and the firewall rule that is configured to filter the outgoing traffic? Also, make sure that the Anti Virus and IPS pattern on the XG are up2date. It will give us a clear picture of why the XG is not able to filter the Web traffic. I am sure XG has a potential web filter module once, the configurations are in order.

    Thanks

  • 0 in reply to sachingurung

    Hi Sachingurung,

    Thanks for your reply! The web filter does block according to the rules below but not at all on the same level of satisfaction as your endpoint protection. But hopefully there is some room for improvement in the web filter policy below!

    Best regards, Anders

    Web Filter

    Firewall Policy

    Pattern Updates

  • 0 in reply to AndersK

    To clarify my XG experience I’ve put together the following information. All URLs have been pulled from a malware forum earlier today and should be reasonably fresh. Sophos Endpoint Protection web filtering blocks all URLs, but XG blocks only one by web filtering. Though many of the downloads, and even one of the phishing sites are blocked by XG AV engine, it is obvious that XG does not use the same URL information as the EPP. When running the URLs through XG URL Category Lookup only the one being blocked is categorized as malicious ”phishing and fraud”.

    As the NGFW/UTM should be the first line of defence you would expect it to at least provide the same level of protection as the EPP. And since I have one XG 210 in production these types of test are performed regularly to have a good understanding of our protection. I like the XG platform with synchronized security but the web filtering and even AV engine update frequency (Sophos 2-4 updates per day) is not always convincing.

    Tested URLs

    URL: http://african-mission.[nl]/2011/stinfo.pdf
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: https://www-pavpalsignin.resolve-informationid.[com]/home/webapps/index
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://fenced.com.au]/login/
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: https://paypal.account-support.[services]
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://escale-loisirs.[fr]/.index/subid3.exe
    Blocked by XG Web Filter: Yes - Phishing and fraud
    Blocked by XG AV: N/A
    Blocked by EPP Web Filter: Yes

    URL: http://lucknowcart.[com]/system/dute.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://vacanzaimmobiliare.[it]/shown/march.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://aerofinance-dept.[com]/ff/c.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://www.prodectsh.[com]/a/shit.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://learnselfdefense.[info]/wp-admin/js/xml/mang.bbk
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://futurewebmedia.[net]/logo06.png
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://secure-dine.[top]/jones/winstat2008.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://a.sinister.[ly]/aiuxyg.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://vijaystudiolko.[com]/wp-admin/images/themes/hover.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://admin.adoma-jawel-manufact.[com]/cgi-bin2/soft.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://vacanzaimmobiliare.[it]/after/Quote.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://sinaco.com.[pk]/images/buch/vuchy.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://gogdrtert.[com]/cregidit/KE11Y/
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://macwizinfo.[com]/zip/class.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: http://adoma-jawel-manufact.[com]/okekasi/CreditAdvice.exe
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://ubisortdasert.[top]/search.php
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: http://x.co]/6loJ3
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

  • 0 in reply to AndersK

    Looks good to me. Can you provide me few examples when the XG is not able to filter it but, our Endpoint protection AV does? If the issue occurs due to incorrect classification of the Website category then, please submit the URL reassessment request here: https://community.sophos.com/kb/pl-pl/119440 .

    Please PM me on how can we improve the Web Protection module to further extent and I will make sure to put it to the senior management & developers.

    Thanks

  • 0 in reply to sachingurung

    Hi Sachingurung,

    To clarify my XG experience I’ve put together the following information. My earlier reply was flagged as inappropriate so I’ve removed included URLs in this one. All URLs have been pulled from a malware forum earlier today and should be reasonably fresh. Sophos Endpoint Protection web filtering blocks all URLs, but XG blocks only one by web filtering. Though many of the downloads, and even one of the phishing sites are blocked by XG AV engine, it is obvious that XG does not use the same URL information as the EPP. When running the URLs through XG URL Category Lookup only one of the links are categorized as malicious ”phishing and fraud”.

    As the NGFW/UTM should be the first line of defence you would expect it to at least provide the same level of protection as the EPP. And since I have one XG 210 in production these types of test are performed regularly to have a good understanding of our protection. I like the XG platform with synchronized security but the web filtering and even AV engine update frequency (Sophos 2-4 updates per day) is not always convincing.

    Since malware and phishing URLs change rapidly I don’t think a reassessment will be quick enough and since you already have the intelligence data it would be better to use that?

    I’ll also send you a PM with more detailed information.

    Thanks!

    Tested URLs

    URL: 1
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 2
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 3
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 4
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 5
    Blocked by XG Web Filter: Yes - Phishing and fraud
    Blocked by XG AV: N/A
    Blocked by EPP Web Filter: Yes

    URL: 6
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 7
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 8
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 9
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 10
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 11
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 12
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 13
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 14
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 15
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 16
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 17
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 18
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 19
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

    URL: 20
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 21
    Blocked by XG Web Filter: No
    Blocked by XG AV: No
    Blocked by EPP Web Filter: Yes

    URL: 22
    Blocked by XG Web Filter: No
    Blocked by XG AV: Yes
    Blocked by EPP Web Filter: Yes

  • +1

    This is a known issue that will be fixed in v17.  We will be adding an additional data source focused on malicious content, after which XG should block everything Endpoint does for malware.

     

     

  • 0 in reply to Michael Dunn

    Hi Micheal,

    Thanks for the information, looking forward to v17 then!

    Anders