One or more endpoint computers, with Web Protection, Download Scanning, or Web Control enabled, report the following scanning error in the console:
Web protection is no longer functional. The filtering driver has been bypassed or unloaded [0xa058000c]
This error is also recorded in the SAV.txt log.
First seen in
Sophos Endpoint Security and Control 10.0
A periodic background task checks that the Sophos Layered Service provider (LSP) is correctly installed and returns the error if a problem is found. Commonly the error is generated when our LSP has been removed or is being bypassed.
- Reasons for the LSP being removed:
- Administrator explicitly removed it.
- 3rd party software installation or update removed it.
- Problem with the operating system.
- Reasons for the LSP being bypassed (it is visible in the Winsock catalog but is not actually working - see 'Further Troubleshooting' below):
- Administrator reconfigured the Winsock catalog and this broke our LSP.
- During the installation or updating of 3rd party software, the Winsock catalog was incorrectly configured by that installer.
- As a result of the Shh false positive removing the swi_update.exe files.
Note: If this error appears on an upgrade from Sophos Endpoint Security and Control version 10.3.12 and later, and you have the Sophos Client Firewall installed, this issue can be caused by the web protection processes being blocked. To resolve:
- Allow the processes in the firewall policy in Enterprise Console as follows:
- In the advanced Firewall Policy configuration dialog, under Configurations, click Configure next to a location you want to configure.
- Click on the Processes tab, click Add to allow an application to launch hidden processes and add the following files:
This issue has been fixed in the Sophos Endpoint Security and Control versions 10.3.15.2 release.
What To Do
Our LSP has to be reset in the Winsock catalog. You can either:
- Re-protect the endpoint computer(s), either locally or from the console, and then reboot them.
- Re-activate our LSP by fully disabling it, rebooting the endpoint, and enabling it. See 'Re-activating the Sophos LSP' below.
Important: Both methods require endpoint computers that returned the error to be rebooted. The LSP is only updated during a reboot, and has been implemented this way to avoid disrupting network connectivity.
If the error re-occurs and you chose to re-protect the endpoint(s), follow the steps in Re-activating the Sophos LSP below before contacting us.
Re-activating the Sophos LSP
Follow the instructions below:
- Enterprise Console
- In the console locate the Anti-Virus and HIPS policy for the endpoint generating the error.
- Under 'Web protection' set the following two options to 'Off'.
- 'Block access to malicious websites'
- 'Downloading scanning'
- If using Web Control:
- Locate the Web control policy for the endpoint generating the error.
- Uncheck the 'Enable web control' option.
- Now go to the section below, 'Policy Compliance' and continue with the steps there.
- Policy Compliance
- Apply the policy to the computer and, depending on network speed, allow time for the endpoint to reconfigure itself and report back to the console.
- Reboot the endpoint computer.
- Reinstate the original policy settings that were changed in steps 1 and 2 above.
Note: If only a small percentage of computers in any one group are affected, or computers from different groups are affected, we recommend moving computers to a new temporary group. The group should have new Anti-Virus and Web control policies applied to it, configured as suggested above. This allows the majority of endpoints to maintain their current level of protection.
To view the Winsock catalog entries you can use Microsoft's Autoruns tool | 'Winsock Providers' tab or run the following command in a command prompt (Start | Run | Type:
cmd.exe | Press return).
netsh winsock show catalog > C:\winsockCatalog.txt
If the Sophos LSP is loaded then, amongst the full list generated in
C:\WinsockCatalog.txt, you will see entries such as:
Entry Type: Layered Service Provider (32)
Description: Sophos Web Intelligence IFSLSP
Note: If you need to contact Sophos technical support run the Sophos Diagnostic Utility on the endpoint computer first and submit your support request using our online web form with the output file attached.