Sophos Central: Web Control Frequently Asked Questions

Modified on Mon, 23 Jul, 2018 at 3:27 AM

Overview

This article provides a list of frequently asked questions regarding Web control in Sophos Central.

The following sections are covered:

Applies to the following Sophos products and versions
Central Endpoint Advanced 11.5.11
Central Endpoint Standard 11.5.11
Sophos Central Managed Server 1.5.6
Sophos Endpoint Security and Control 10.8.2
UTM Managed Endpoint (Windows 2000+)

How does Web control relate or differ from Web protection

The following list of bullet points will help you to differentiate between the two features:

The Web protection feature is part of Sophos Anti-Virus and is included with all Sophos Central licenses that include this product. This feature is designed to prevent threats from reaching the web browser.
Web control is an additional feature available in the following licenses:
- Sophos Central Endpoint Protection Advanced.
- Sophos Central Enduser Protection.
- Sophos Central Server Advanced Protection.
  Note: Web Control is a feature of the Sophos Central Server Advanced license. A User license is also required for each individual that you allow to access the internet from the server, for example using Remote Desktop/ Terminal Services. This is in line with Sophos’ EULA which defines a User as an employee, consultant or other individuals who benefits from the Product.For more information on the functionality included in each license see the feature table in the Sophos Central How to buy page.
Web control is focused on giving the administrator control over web browsing with specific differences between User Policies and Server Policies:
1. User Policies
  - Block by category of the site
  - Block particular file types or specific websites
  - Prevent access to sites that increase the risk to the organization.
  - Help improve productivity and potentially limit bandwidth.
  - Policies for Web control can also be configured to apply to users only at certain times of the day if required.
  - Applies to the logged on User
2. Server Policies
  - Provides control of potentially inappropriate websites for acceptable use by site category.
  - Applies to any account that accesses the internet from the server.
Web protection prevents web-based threats from reaching the browser in two ways:
1. They block the access to websites that are deemed to be malicious by SophosLabs. This is achieved by endpoint performing a real-life lookup to the infrastructure of Sophos servers to classify the sites.
  Note:
  - The following SophosLabs page provides a way to request a reassessment of a web page if you feel a page has been wrongly classified.
  - The Malware test page as provided by SophosLabs found on this page: http://sophostest.com/ can be used to check this functionality is operational.
2. Web control and Web protection use the same methods to intercept traffic as seen by the browser and provide feedback to the user. For example on a Windows computer, the hook to intercept web traffic is a Layered Service Provider (LSP) for Windows XP/2003/2008/2008 R2/Vista and Windows 7 and for Windows 8/8.1 and Windows 2012/2012 R2 it is a Windows Filtering Platform (WFP) driver.
  Note: Web control is not available on Windows Server 2003.

How to check if the Web Control is working

This depends on the policy that is configured in Sophos Central, the test that needs to be performed may differ. This answer provides the most common way to test Web Control functionality is working.

SophosLabs have provided the following webpage: http://sophostest.com/ to test category classification.

In addition to checking the Events report in Sophos Central for Web control events, on the endpoint logs or behaviors can also be checked or observed to see evidence of Web control being operational:

Mac
The Sophos Anti-Virus.log file (/Library/Logs/Sophos Anti-Virus.log) can be checked. For example, when a block action is taken against facebook.com, the following line can be found in the log file:
com.sophos.webintelligence: [Date] [Time] Policy action 'block' on 'https://www.facebook.com'

Note: There is no visible indication provide for HTTPS page interceptions. The browser will display messages such as: Safari Can't Open the Page or This webpage is not available.

Example screenshots can be seen here:
Windows
Either a notification popup will be displayed (for HTTPS) traffic or the browser will display a page detailing the content that has been blocked or warned.
Mobile
Sophos Central provides a Mobile Device Management (MDM) product only at this time. There is no Web Control on iOS or Android at this time.

How to check if the client has the latest policy from Sophos Central

For more information of what to check, see Understanding and troubleshooting policy compliance of devices managed by Sophos Central.

How to prevent the balloon messages being displayed to users

On Windows, blocked resources obtained using HTTPS will display a popup messages. These balloon or Toast messages can be suppressed if required by the article 'Website blocked' popups are constantly appearing on web pages.

How to enable verbose logging on the endpoint

It is possible to obtain trace logging for both Web protection and the Web control components on the endpoint. Please contact Sophos Support quoting How to enable Sophos Web Intelligence (Web Protection feature) and Web Control logging and they will best guide you with the appropriate level of logging.

Why are file types such as a .pdf, flash and executable files blocked for the users

This may be correct based on the Web control policy configured for the user. The following steps should be followed to determine the correct behavior.

Login to Sophos Central Admin. For more information see Sophos Central: How to access.
Navigate to Policies.
If there are multiple policies and the customer doesn't know which policy applies, it is recommended to search for the user by name.
Once the policy has been identified, click Web Control.
Check the File Type Access section and then the Risky file downloads options selected.
Adjust the settings of the policy as required.

Does Web control work on iOS, Android devices or Linux servers

Not at this time. Web control is only available on Windows and Mac.

Why are some files blocked based on the Additional security options settings and others are allowed

Under the Additional security options of the web control policy, it is possible to control access to individual file types. For example, the customer can block executable files. These checks are also subject to SXL lookups to see if they are from a trusted source. For example, an executable file from Microsoft or Apple is not subject to the same checks as that from an unknown source.

Note: The security options on risky file types, which is one of the functions of the web control, currently does not work on HTTPS websites. Alternatively, you can block the root domain of the website or the website's category from where the file is being downloaded.

How to exempt a website

One way to exempt a website is to use tags. For example, if the customer wanted to allow the site: uk.video.search.yahoo.com, that was previously blocked the customer could do as follows:

Navigate to Global Settings then select Website Management.
Click Add.
Enter the address: uk.video.search.yahoo.com.
Create a new tag called Allow for example.
Click Save.
The Website Management page should reflect the new entry.
In the Web control policy linked to the users that the customer wishes to allow the site, under the section Control sites tagged in Website Management, he can add an choose to Allow the Allow tag.
After saving the updated policy, within about 30 seconds the computer should now allow the site specified when it was previously blocked.

Note: It is also possible to override the category of a site in a similar way using the Website Management page.

Why is the exemption setup not behaving as expected

There are a few reasons which may explain why a site doesn't behave as expected.

Note: See the question How to check if the client has the latest policy from Sophos Central to check the client has the updated policy if in any doubt.

If the customer is attempting to warn on a website, this will not work on a site if accessed over HTTPS. The page will be displayed. The warn page cannot be injected into the returned page when viewed over HTTPS.
If the customer is trying to block a specific URL using the website customization list, for example: http://uk.video.search.yahoo.com/search/video?p=Sophos.
This is a case-sensitive, so the URL:
http://uk.video.search.yahoo.com/search/video?p=sophos would be allowed due to the lowercase 's' in Sophos.
If the customer is trying to block the URL: uk.video.search.yahoo.com/search/video?p=sophos when accessed over HTTPS, this will fail as only the Server Name can be seen as part of the Server Name Extension (SNI) extension passed in the SSL handshake.

In this example, the customer could block: uk.video.search.yahoo.com over HTTPS as this is the server name passed by the browser in the SNI attribute of the request. The following screenshot shows how the server name is passed in the request when viewing the connection in Wireshark.

Note: Server Name Extension (SNI) is not supported by all browsers. For more information see Server Name Indication.

Why does the customer can no longer access his IP webcam using his browser

As a first test, try adding the IP address of the webcam to the malware scanning exclusions in Sophos Central for the policy applied to the computer. The IP or IPs can be added as a Website type exclusion.

Note: This is not a Web control customization but a Web protection exclusion as found under the malware section of the policy.

Once the computer has received the policy and the exclusion is in place, try again to access the webcam using the web browser.