Getting enterprise Sophos working with Little Snitch

General discussions about Little Snitch
davebailey
Posts: 2
Joined: Thu Jan 11, 2018 5:47 pm

Getting enterprise Sophos working with Little Snitch

Postby davebailey » Thu Jan 11, 2018 6:04 pm

I ran into a vexing problem that took me some time to solve and I didn't see anyone else had solved it, so I post my solution here.

BACKGROUND: The enterprise version comes with a host web proxy that intermediates all web requests called "SophosWebIntelligence.bundle". Enterprise Sophos runs using a separate account that it creates during installation called "_sophos". Little Snitch doesn't allow you to make rules for other users. Somehow certain connections were getting denied that showed an X over the Little Snitch icon even when I had no deny rules in my user's configuration, and removing and reinstalling Little Snitch had no impact to the problem.

RESOLUTION: I ended up having to run the Little Snitch Configuration tool as the _sophos user to fix the problem. As most enterprise malware teams aren't enthusiastic to either let you uninstall their tool or share configuration passwords, you can't fix this unless you have local admin privileges and can type a few console commands.

1. Open the Terminal.

Lots of ways to do this. Probably the fastest that's easily describable is Command-Space > type Terminal > hit return

2. Get to a command line as the _sophos user.

username$ sudo -u _sophos bash
Type in your password.

3. Launch the Little Snitch Configuration tool from the command line, without using the "open" command which always opens an application as the currently logged in user, instead of the command line user you may be sudoed into.

bash-3.2$ /Applications/Little\ Snitch\ Configuration.app/Contents/MacOS/Little\ Snitch\ Configuration


At this point, you can create the Little Snitch configuration rules for the Sophos user, such as allowing all or selected SophosWebIntelligence.bundle traffic.

Hope this helps!

06nH
Posts: 1
Joined: Sat Jan 27, 2018 10:41 pm

Re: Getting enterprise Sophos working with Little Snitch

Postby 06nH » Sat Jan 27, 2018 10:42 pm

This solves everything - I can use Little Snitch again. Thanks for sharing this. Big help!

Doctor X
Posts: 4
Joined: Sat Nov 18, 2017 7:23 am

Re: Getting enterprise Sophos working with Little Snitch

Postby Doctor X » Tue Jan 30, 2018 11:19 pm

Yay!

Was driving myself nuts for a day on what was going wrong.

To make life easier for those lacking t3h sk1lz like moi:

    1. QUIT Little Snitch completely.
    2. Run davebailey's Terminal command
    3. Open a browser with pages that have been blocked: oddly enough, for me it was only the very unpopular obscure sites like Youtube and Wikipedia :|
    4. Now when Little Snitch Configuration opens you will see, in your list, SophosWebIntelligence.bundle blocking a number of IPs.

That will make it easier. You can over-ride them all with "Allow Any Connection."

When you edit, I clicked OFF the "Until Logged In" and it worked.

--J.D.

idf
Posts: 3
Joined: Mon Apr 27, 2009 6:34 pm

Re: Getting enterprise Sophos working with Little Snitch

Postby idf » Mon Sep 10, 2018 8:00 pm

Just a note to say thanks for this. I had managed to get SophosEventMonitor.bundle blocked by accident but couldn't see a rule to delete.


Return to “Little Snitch General”

Who is online

Users browsing this forum: No registered users and 2 guests