Sophos Central Endpoint: Dashlane Mozilla Firefox extension may not function correctly

The Mozilla Firefox extension for Dashlane Password Manager may not function correctly when installed alongside Sophos Central Endpoint. Customers may see that the browser extension icon is greyed out and cannot be accessed.

The Dashlane Firefox extension requires anti-virus and firewall software to be configured in a particular way to allow access to the extension.

This article describes the steps to resolve this issue.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Cloud Managed Endpoint

Initially, please follow the guidance published by Dashlane in this article.

Additionally, please run through the steps below on the affected machines to exclude the Dashlane ports from the Sophos Web Filter:

  1. Open regedit
  2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesswi_callout
  3. Create or modify the multi-string value LoopbackBypass
  4. Add the below values in (each one as a new line)
    • 11456
    • 15674
    • 17896
    • 21953
    • 32934
  5. Restart the Sophos Web Filter service

Note. You may also need to restart your browser for the changes to take affect.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Mac OS: Secure Kernel Extension Loading troubleshooting

Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.

Note: Due to an Apple security restriction, this cannot be done via a remote desktop connection. There must be a locally logged on user. The Allow button will show, but be grayed out if it is accessed via remote desktop.

After installing Sophos Anti-Virus go to Security & Privacy in the Apple System Preferences window.

Near the bottom of the window, it will list the blocked Kernel Extensions (kexts) by Sophos. Click Allow.

Once authorized, all future Sophos kernel extensions are allowed, even after uninstallation. This step is not needed again on a reinstall.

Some customers have had issues with this, and should do the troubleshooting below.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

If the kexts do not load after the above steps, or the prompt to allow the kext does not show, here are the steps to authorize the kext manually.

  1. Boot into Recovery mode (Apple Article ht201314)
  2. Open the Terminal (From the menu at the top)
  3. Run the command: /usr/sbin/spctl kext-consent add 2H5GFH3774
  4. Reboot

There are some customers who we have seen run into this issue even after these steps. Apple has acknowledged that there is a bug in 10.13 and 10.14.0 that can cause an issue. It is fixed in 10.14.1 (released October 30, 2018).

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central Wireless – Issue with Wireless AP s incorrectly shown as offline

Sophos is investigating reports from some Central customers located in the US-West-2 region, who are intermittently experiencing their Wireless AP’s being shown as offline.

Applies to the following Sophos product(s) and version(s)

Sophos Central Wireless

Central Wireless Dashboard may show access point as “Offline” at random intervals for some users located in the US-West-2 region.

  • LED for AP’s may intermittently flash Orange or Red
  • This behavior seems to only be a visual issue as Access Points remain functional
  • While remaining in an offline state, new configurations cannot be pushed or updated to the AP

Active maintenance is occurring and Central APs will appear as offline on the Central dashboard during this time.

Note: AP’s will remain operational and continue broadcasting SSIDs, end user connectivity will not be affected. However, new configurations cannot be pushed or updated to APs during this active maintenance window.

The fix for this issue is currently scheduled to be implemented July 13th.

Please contact Sophos Technical Support and mention this KBA as a reference.

No workaround currently available.

This article will be updated when more information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory – Black screen when logging off Windows 10 1903 if Sophos Intercept X or Exploit Prevention are installed alongside certain third parties

Sophos have identified an issue where Windows 10 1903 (May 2019 update) machines may hang when logging off if Sophos Intercept X or Exploit Prevention are running alongside certain third party security applications.

The issue occurs due to the both security applications accessing the same Microsoft executable at the same time.

A workaround is available to affected customers and Sophos plan to release an update to Intercept X and Exploit Prevention to resolve the issue.

Applies to the following Sophos product(s) and version(s)

Central Endpoint Intercept X 2.0.14

Sophos Exploit Protection

Users may not be able to log off gracefully – they may have to forcibly power off their devices allow them to log off or shut down.

A fix for this release is due in the below versions:

  • Sophos Intercept X 2.0.15
  • Sophos Exploit Prevention 3.7.13

These versions will be available to customers by the end of August.

If you require earlier access to this update please contact technical support.

Affected customers can follow the below steps to workaround this issue.

Sophos Central Customers

  1. Install the Cumulative Hotfix version of Sophos Intercept X – available in KBA 133140.
  2. Login to your Sophos Central account at https://central.sophos.com/manage/login
  3. Click Global Settings then Global exclusions
  4. Click Add Exclusion
  5. Add an exclusion of type Exploit Mitigation (Windows)
  6. Click Application not listed?
  7. Under “EXCLUDE APPLICATION BY PATH” add in the following:
    • $system32fontdrvhost.exe
  8. Untick Protect Application
  9. Click Add to finish adding the exclusion
  10. Affected clients should then pick up the exclusion the next time they synchronize

Sophos Enterprise Console customers

  1. Run the Sophos Diagnostic Utility (SDU) on an affected machine as per https://community.sophos.com/kb/en-us/33533
  2. Raise a case with Sophos Technical Support at https://secure2.sophos.com/en-us/support/open-a-support-case/describe-issue.aspx
  3. Submit the SDU gathered above and detail the issue you’re experiencing
  4. Sophos Technical Support will then advise how to implement the manual exclusion

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: TCP SACK PANIC kernel vulnerability

Overview

This article outlines the details of the TCP SACK PANIC kernel vulnerability and how it impacts Sophos products.

Three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size.

These have been assigned the following CVEs:

  • CVE-2019-11477 is considered an Important severity
  • CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity

Applies to the following Sophos products and versions

Product Affected Release Plan
Sophos XG Firewall Yes Mid of July
Sophos UTM Yes Mid of July
Cyberoam Yes End of July
Sophos Firewall Manager No
Sophos UTM Manager Yes No release dates yet
Sophos Email Appliance No
Sophos Web Appliance Yes Mid of July
Sophos RED No
Sophos AP/APX No
Sophos iview No
Sophos Central Firewall Manager No
Sophos for Virtual Environments Yes Mid of July

Impact

CVE-2019-11477

  • A remote attacker could exploit this to crash the system resulting in a Denial of Service.

CVE-2019-11478

  • The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. This could cause the CPU to spend an excessive amount of time attempting to reconstruct the list, resulting in a Denial of Service.

CVE-2019-11479

  • The Linux kernel is vulnerable to a flaw that allows attackers to send crafted packets with low MSS values to trigger excessive resource consumption. The system will then work at reduced capacity resulting in a Denial of Service for some users.

What to Do

Sophos is actively working to resolve this issue with high priority.

In the meantime, users can follow the workaround instructions outlined below.

Workaround

To resolve this vulnerability while a permanent fix is being developed, users can disable selective acknowledgments system-wide for all newly established TCP connections.

Sophos XG Firewall

Disable selective acknowledgements in the console. This workaround is reboot-persistent.

Note:Disabling SACK may reduce performance in case of packet loss.

  • Log into XG Console > Select Option 4
    • set advanced-firewall tcp-selective-acknowledgement off
  • To verify:
    • show advanced-firewall

      TCP Selective Acknowledgements: off

Sophos UTM

There are two available workarounds that are reboot-persistent. Each workaround has caveats. Users may prefer one workaround over the other.

  1. Limiting MSS size which works for all three CVEs
  2. Disabling Selective Ack which only resolves CVE-2019-11477 (critical) and CVE-2019-11478

Limiting MSS Size

This workaround mitigates all three CVE vulnerabilities.

Note: A side effect of this change is that it may disrupt legitimate traffic that relies on low MSS values.

  • Disable MTU probing:
  • echo "net.ipv4.tcp_mtu_probing = 0" >> /etc/sysctl.conf
  • sysctl -p
  • Add the following line to /var/mdw/etc/iptables/iptable.filter after (:USR_OUTPUT - [0:0]) line at line 29 for UTM v9.603:
  • -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Related:

  • No Related Posts

Central Server Update Cache: Information on Error Opening messages in Update Cache logs

Due to upcoming changes to DCI customer files, the Windows Endpoint can request a customer file from the Update Cache that does not exist. It then requests one that does, but this still results in an error in the Update Cache log (uc.log). This error can be safely ignored. There are some quick guidelines to determine if this is the issue, or an error that needs to be investigated.

The new format is DCI v3, and Windows clients now look for it, however it is not released yet. This uses a 64-character license file name, compared to the 32-bit character license file name used by DCI v2.

Applies to the following Sophos product(s) and version(s)

Sophos Central Managed Server

Central Server Update Cache

No impact on protection. May cause some confusion.

The following will all be true if this is the source of the error:

  • The URI in uc.log will start with “https://<servername>/sophos/customer/….”
  • The file name in the URI in uc.log will be 68 characters (64+.dat).
  • The client will still be updating properly
  • No errors sent to Central (Only in UC.log)

If a customer is worried, please let them know that this is expected, and does not harm anything.

If there is an error finding any other file, please investigate normally.

Example from uc.log (Server):

[2018-04-18T09:47:24Z] [f4c] Error: [HTTPServer::HttpReceiveRequestCompletion::CompleteOperation:494] Error opening https://<server>:8191/sophos/customer/0/12/0123456789012345678901234567890123456789012345678901234567890123.dat: Could not open file: [3] The system cannot find the path specified.

Example from SophosUpdate.log (Endpoint):

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] WARN [W41450] 500 Internal Server Error: https://<server>:8191/sophos/customer/0/12/0123456789012345678901234567890123456789012345678901234567890123.dat

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] INFO Could not reach cache: <server>:8191

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] INFO Checking access to update cache: <server>:8191 using customer file 0/12/01234567890123456789012345678901.dat

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] INFO [I23394] Successfully downloaded customer file

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] INFO Successfully connected to cache: <server>:8191

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] INFO Analysis complete - Using update cache: <server>:8191

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] INFO Updating from cache: <server>:8191

2018-04-18T08:34:27.173Z [ 6840] [v5.11.141] INFO Filename: 0/12/01234567890123456789012345678901.dat

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

RESOLVED – Sophos UTM: RED-W wireless becomes inactive after updating to 9.6

Some customers are reporting RED-W wireless issues and high CPU usage after updating to UTM v9.6 GA.

Applies to the following Sophos product(s) and version(s)

Sophos UTM 9.6 GA

  • Large amounts of traffic is sent between the RED interface and AP, potentially causing high CPU usage
  • Wireless from the RED device becomes inactive, however the RED tunnel stays up and online

RESOLVED: This issue is resolved in version UTM v9.6 MR-2 which is currently available.

Verify the issue is occurring by navigating to the wireless log (or /var/log/wireless.log) and look for the following error:

utm awed[5262]: [MASTER] new connection from x.x.x.x:54756

utm awed[23301]: [AXXXXXXXXXXX] RED15w from x.x.x.x:54756 identified as AXXXXXXXXXXX

utm awed[23301]: [AXXXXXXXXXXX] (Re-)loaded identity and/or configuration

utm awed[23301]: [AXXXXXXXXXXX] Corrupt payload. Device may have wrong key. MD5 of the key is yyyyyyyyyyyyyyyyyy. Delete device to re-register it.

Please contact Sophos Technical Support if issue is observed after fix version.

Rejoin the AP by:

  • Navigating to Wireless Protection > Access Points
  • Delete the now inactive access point, then re-accept the RED AP to regenerate the MD5 key.

Wireless should now be connected and CPU usage should return to normal levels.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos UTM – Issue with RED 50 after upgrade to v9.6

An issue has been identified which affects RED 50 devices in UTM 9.6.

Applies to the following Sophos product(s) and version(s)

Sophos UTM

The UTM 9.6 release introduced a new unified RED firmware which, in some cases, causes RED 50 devices to incorrectly apply a new firmware image. This has resulted in the devices becoming unusable or ‘bricking’.

Currently, the unified firmware will only be applied to installations with fewer than 20 RED devices configured.

Sophos is working on a full RCA and fix for this issue and will provide further updates as they become available.

Users who want to migrate to UTM 9.6 and are using RED 50 devices should take the following steps to avoid this issue:

  • Ensure that the RED 50 is offline prior to updating the appliance to 9.6.
  • Disconnect the RED 50 from the power outlet. It must not have an Internet connection.
  • Once the update to 9.6 is complete, log into the command line and disable the unified firmware by executing “cc set red use_unified_firmware 0”.
  • After the unified firmware has been disabled, the RED 50 can be reconnected. It will now not pull the unified firmware and so will not be impacted by this issue.

Note: In cases where an RMA is needed, you should also disable the unified firmware prior to connecting the RMA device.

For any affected users, the current solution is to request an RMA for the impacted RED 50 unit(s).

This article will be updated when more information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos UTM on AWS – Licensing issues after updating to 9.6 MR2 (Standalone/HA)

Customers may see an issue with their current license after updating to 9.6 MR2 on AWS (Standalone/HA/Auto-scaling).

Sophos UTM 9.6 MR 2 has introduced a new license limitation for UTM running on AWS for BYOL deployments. This new limit requires a license for at least 150 users and should only apply to new installations.

The following are the specific minimum user values:

  • Single = 150
  • HA standalone = 150
  • HA warm standby = 150
  • Auto-scaling = 250

However, an issue is that it also applies this limit and enforcement to existing installations updating to UTM 9.602 from a previous version. Leading to the license error of “The license doesn’t meet the required minimum user limit”.

This is currently expected to only affect customers running standalone UTM on AWS instances or HA instances converted from a standalone installation as these are using the regular Up2date mechanism. Sophos is working on getting this issue resolved.

Applies to the following Sophos product(s) and version(s)

UTM on AWS Marketplace

After updating to 9.6 MR2, the UTM will display an error message indicating the license does not meet the minimum user limit. The UTM will then operate with the base features until a new license has been uploaded.

“The license doesn’t meet the required minimum user limit”

Sophos is working on a fix to resolve this issue.

For customer who have already updated to UTM 9.6 MR2 and are experiencing this issue, please contact our Customer Care team.

Any customers that have not updated should be instructed to wait until the fix has been released to resolve this issue.

Affected customers can apply a temporary license that meets the minimum requirement of 150 users.

This article will be updated when more information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central – Intermittent performance and login issues (North American region)

Some Central users in the North America region have reported slow or intermittently failing logins. Other functions within the Central Dashboard may also experience intermittent performance issues.

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

Sophos Central Enterprise Dashboard

Sophos Central Partner

Sophos Central Wireless

Sophos Central Email

On July 8th- From 12:00 to 17:15 UTC, July 9th from 12:00 to 13:00 UTC, and July 10th from 14:00 to 19:00 UTC and July 11th to present – Some Central users in the North America region have reported the following:

  • Intermittent failure to login to Central or slower than normal time to login
  • Some Central pages or sections intermittently failing to load
  • Central Email intermittent delays with delivery of email
  • Central Endpoint Policy delays (delivery of policy) and potential intermittent failure to install endpoints (endpoints cannot connect “The installer cannot connect to Sophos Central”)
  • General slowness and responsiveness within Central – North America region
  • This slowness can also be experienced for Partner or Enterprise dashboard and widgets if the customer or sub-estate data resides in the North America region.

Update – 07/11/2019

Central performance issues (North America region) have been seen on July 11th from 13:15 to 14:30 UTC.

Update – 07/10/2019

Central performance issues (North America region) was seen on July 10th from 14:00 to 19:00 UTC.

Update – 07/09/2019

Central performance issue (North America region) was seen again between 12:00 and 13:00 UTC (8-9am EDT).

Update – 07/08/2019

Central performance has returned to normal. We will continue to update this advisory if there are any additional spikes in performance issues.

Note: there is a related Central WIFI issue that is still active: Advisory: Issue with Wireless AP’s incorrectly shown as offline

If you have an issue logging in, please try again a few minutes later.

Sophos is actively working on resolving this issue with the highest priority.

This article will be updated when more information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts