Whitelisting the Sophos domain to enable automatic sample submission

  • Article ID: 62637
  • Rating:
  • 1 customers rated this article 5.0 out of 6
  • Updated: 19 Nov 2013
Issue

The automatic sample submission feature that is part of Sophos Online Scanning allows samples of malware and suspicious files to be sent to Sophos Labs for analysis, and considerably speeds up the process. However, if clients use a security proxy with AV features to access the Internet, although the data uploaded is encrypted, it's possible that the upload will be blocked as suspicious.

Known to apply to the following Sophos product(s) and version(s)

Enterprise Console 

Technical background
If automatic sample submission is enabled and the SXL response requires a sample of the file that triggered the detection, the file is packaged into an encrypted envelope and uploaded via HTTP POST to an address crafted as follows:

http://<cachebuster_random_string>.<hash_of_the_file>.5.samples.sophosxl.net/<filename>

where

  • <cachebuster_random_string> is a randomly generated string that avoids DNS caching from being used
  • <hash_of_the_file> is a hash of the file being uploaded
  • <filename> is the hash of the file again.

What to do

In order to avoid the upload being blocked as suspicious, you must ensure that access to samples.sophosxl.net is not blocked by the proxy. 

The way in which you achieve this will depend upon on the type of software or device used.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments