New England Security User Group

I am hoping that some of you out there who use SWV can provide a little guidance. We're a Sophos shop ( I know! ) where I work and when I import and then activate a layer, without fail, Sophos throws a message stating the "Sophos Endpoint Security and Management Has Failed". As soon as that happens IE stops functioning, explorer is unhappy (can't save files, can't click easily browse personal file spaces) and things just don't behave right. After a restart Sophos picks right back up and is fine most of the time. Once in a while, after we close a virtual application the same error occurs. These errors are not occurring under normal Sophos or OS use at all.

Secondly, some applications need to talk to the web (such as SPSS/PASW) but once in a layer, depending on where it gets deployed, the folder structure changes (C:\fslrdr\1\, C:\fslrdr\2\...). We need to allow Internet access to the application but don't want to allow everything in the fslrdr folder so is there a recommended way to do this?

Thanks!

Try adding the Sophos processes to our Program Ignore list (check the help guide) as that tends to fix 90% of AV and firewall issues and is the standard way of fixing issue #2 as doing this prevents the application in question from seeing the FSLRDR location so it has to use the virtual path (i.e. where it would be installed do in the base).

If that's not working let me know your OS version, Sophos version and SWV version.

Yeah, a little reading on my part would have been nice. I have added the Sophos Executables to the ProgramIgnoreList in the registry and we'll see how that goes from there. 

I still don't know how to handle application access though the Windows firewall, though. Since I need an explicit rule to allow the application access through the FW, and that executable location could vary depending on which order the layers are installed, how would that be accomplished? Would I simply exclude the location where the software should be installed if it wasn't in a layer in the ProgramIgnoreList?

Thanks!

generally yes, make the exception for where it would be installed to outside of a layer.

I have gone ahead and made the Windows Firewall exception based on C:\Program files\... however the firewall warning pops up asking to allow C:\fslrdr\1\... which, based on the previous conversation, I should exclude the Windows Firewall in the ProgramIgnoreList. Is this happening to anyone else? It seems that its an awful lot of extra effort to exclude something built-in to the OS. If we have to, we have to but then the next question is, how on earth to do that since the windows firewall is launched with svchost from what I can see.

I should mention that this is WIndows 7, 64-bit running SWV 6.3.2065

So after looking into to this I'm afraid that we do not support custom rules with Windows Firewall at this time.

The problem is two fold:

1) Windows Firewall needs to see the redirect area, and we cannot exclude it's process SVCHOST from SWV.

2) Windows Firewall saves it's settings to the registry so when you pass in a redirect path (say, c:\FSLRDR\1\[_b_]ProgramFiles[_E_]\myProgram) we convert that path into a normal windows path (C:\FSLRDR\1\C:\Program Files\MyProgram) so as soon as you reboot the system your custom rule no longer works. 

The only way to work around this is to delete and create a new rule upon log-in or layer activation.

Most other firewalls do not have this problem because they either have an exe that we can exclude or they don't save their firewall settings in the registry.