Enterprise Console reports error a058000c

  • Article ID: 114350
  • Rating:
  • 26 customers rated this article 1.8 out of 6
  • Updated: 20 Feb 2014

Issue

One or more endpoint computers, with Web Protection, Download Scanning, or Web Control enabled, report the following scanning error in the console:

Web protection is no longer functional. The filtering driver has been bypassed or unloaded [0xa058000c]

This error is also recorded in the SAV.txt log.

First seen in

Sophos Endpoint Security and Control 10.0

Cause 

A periodic background task checks that the Sophos Layered Service provider (LSP) is correctly installed and returns the error if a problem is found.  Commonly the error is generated when our LSP has been removed or is being bypassed.

  • Reasons for the LSP being removed:
    • Administrator explicitly removed it.
    • 3rd party software installation or update removed it.
    • Problem with the operating system.
  • Reasons for the LSP being bypassed (it is visible in the Winsock catalog but is not actually working - see 'Further Troubleshooting' below):
    • Administrator reconfigured the Winsock catalog and this broke our LSP.
    • During the installation or updating of 3rd party software, the Winsock catalog was incorrectly configured by that installer.
    • As a result of the Shh false positive removing the swi_update.exe files.

What To Do

Our LSP has to be reset in the Winsock catalog. You can either:

  • Re-protect the endpoint computer(s), either locally or from the console, and then reboot them.
  • Re-activate our LSP by fully disabling it, rebooting the endpoint, and enabling it.  See 'Re-activating the Sophos LSP' below.

Important: Both methods require endpoint computers that returned the error to be rebooted. The LSP is only updated during a reboot, and has been implemented this way to avoid disrupting network connectivity.

If the error re-occurs and you chose to re-protect the endpoint(s), follow the steps in Re-activating the Sophos LSP below before contacting us.

Re-activating the Sophos LSP

Follow the instructions here according to whether you have Enterprise Console or Sophos Control Center:

  • For Enterprise Console
    1. In the console locate the Anti-Virus and HIPS policy for the endpoint generating the error.
    2. Under 'Web protection' set the following two options to 'Off'.
      1. 'Block access to malicious websites'
      2. 'Downloading scanning'
    3. If using Web Control:
      1. Locate the Web control policy for the endpoint generating the error.
      2. Uncheck the 'Enable web control' option.
    4. Now go to the section below, 'For both Consoles' and continue with the steps there.
  • For Control Center
    1. In the Control Center, click 'Configure scanning'
    2. Set 'Web scanning is' to Off.
    3. Now go to the section below, 'For both Consoles' and continue with the steps there.
  • For both consoles
    1. Apply the policy to the computer and, depending on network speed, allow time for the endpoint to reconfigure itself and report back to the console.
    2. Reboot the endpoint computer.
    3. Reinstate the original policy settings that were changed in steps 1 and 2 above.

Note: For Enterprise Console customers only. If only a small percentage of computers in any one group are affected, or computers from different groups are affected, we recommend moving computers to a new temporary group. The group should have new Anti-Virus and Web control policies applied to it, configured as suggested above.  This allows the majority of endpoints to maintain their current level of protection.

Further Troubleshooting

To view the Winsock catalog entries you can use Microsoft's Autoruns tool | 'Winsock Providers' tab or run the following command in a command prompt (Start | Run | Type: cmd.exe | Press return).

netsh winsock show catalog > C:\winsockCatalog.txt

If the Sophos LSP is loaded then, amongst the full list generated in C:\WinsockCatalog.txt, you will see entries such as:

Entry Type:  Layered Service Provider (32)
Description: Sophos Web Intelligence IFSLSP

Note: If you need to contact Sophos technical support run the Sophos Diagnostic Utility on the endpoint computer first and submit your support request using our online web form with the output file attached.



 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments