Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 11686 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default application configuration bug

rfcat_vk

Hi folks,

I have been investigating why one of my devices is talking to TOR and Ultrasurf proxies. I have not been able to identify which device from the daily reports.

Now in theory the tunnel and filter bypass applications should be blocked, but they aren't. I created a test filter to see what happens when I tick deny. What is the use of ticking deny when the default changes it back to allow? Please see below for the results.

The application list shows deny, but the filter using the group shows allow, something very wrong.

 

Ian

 

More stuff. If you enable blocking IT services etc, the bypass filter rules do not work. Facebook gets blocked and so does my weather station. Now I have a bypass for facebook.



This thread was automatically locked due to age.
Parents
  • 0

    Ian,

    thanks for sharing it. I red on on some other thread that blocking TOR also blocks facebook, so it is something that Sophos is investigating.

    Regarding the allow and deny action, when you create a new Applicaiton policy, you clone it from allow all or deny all. Those are the default action if previous Application rules do not match. So in your case, all the APP are blocked and the rest not added/specified are allowed.

    I do not like the way as the IPS policy and Applicaiton Policy work at the moment. I do like the Web Policy which allows a lot of granularity and it is even easier to understand.

    Regards

  • 0 in reply to lferrara

    Hi Douglas,

    I found TOR in the daily reports.

    I have reworked the application lists so that only bypass tunnels and VPNs was left in that group and moved the other IT stuff into the other IT group.

    So far no more reports on TOR, but could be very delusional if you understand what I mean?

     

    @Luk, no I didn't clone, I built from scratch to see if the deny and allow would change and it didn't.

     

    Ian

  • 0 in reply to rfcat_vk

    Hi Douglas,

    an update. I think I have been chasing a problem with the XG and classification. The XG shows my wife's MAC as using skype and skype xxxx. I went to kill the app and I cannot find any skype running on her mac.

    So the TOR classification could be a wrong classification. Further to that my main XG does not block some ad sites anymore. I have tried restoring to a backup, clearing cache, clearing history, but that didn't work. It is almost as if I have a hidden exception for this particular site ad.doubleclick.net.

    Seems to work correctly on my test build XG.

    Ian

    Further testing. My mac book pro which has not been connected to the main XG for a number of days does not show the error when connecting to the site that causes the offending ad to appear. Both my mac mini and my wife's mac both have an issue with the offending ad even after restarts of the XG and the mac mini.

    Maybe time to shut the XG down to really kill the connections. I have posted about this issue in the past as far as restart not killing connections.

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    @Luk, no I didn't clone, I built from scratch to see if the deny and allow would change and it didn't.

    Ian

     

    Ian,

    in order to create an Applicaiton filter, you have to select the template. This is mandatory and the template decides the default behaviour so I do not understand when  you say that deny or allow does not change your application filter behaviour.
    Thanks
     
Reply
  • 0 in reply to rfcat_vk

    rfcat_vk said:

    @Luk, no I didn't clone, I built from scratch to see if the deny and allow would change and it didn't.

    Ian

     

    Ian,

    in order to create an Applicaiton filter, you have to select the template. This is mandatory and the template decides the default behaviour so I do not understand when  you say that deny or allow does not change your application filter behaviour.
    Thanks
     
Children