- Sophos Website Checker Pro
- Sophos Website Check
- Sophos Website Checker Download
- Sophos Blocking Websites
- The Report above displays lists of Web Domains surfed by the user john.smith. Administrators can view a list of Web Categories and IP Addresses surfed by the user john.smith by selecting Category and IP Address in the Search In parameter. Related information. Sophos XG Firewall: How to find Historical Reports; Sophos XG Firewall: How to.
- Web pages that operate proxy services, or offer proxy software, with the specific intent of defeating security and control. Web pages that purposefully allow users to browse the Web by hiding their IP address, or other personal identification information, in order to bypass local filtering policies and access any Web page.
1 - Open the Sophos Home application and click on My Activity or Manage Devices button 2 -If applicable, enter your Sophos Home account email and password 3- If desired, check the box for “Allow the current user on this computer to access your dashboard without signing in”. Sophos Home offers clear and easy to understand subscription pricing. We offer one- and two-year pricing options, and discounts for continuing customers. Renewals are done automatically at the end of the subscription period, with clear communication via email about upcoming renewal events. Share your questions, answers, advice and comments about threats in the Sophos Community. Visit the Forum. Tweets by SophosLabs. Technical Papers. Here you will find a range of papers aimed at system administrators and security specialists on a variety of topical issues. Some of these papers have been presented at security seminars.
Sophos Web Security and Control Test Site
This test site contains pages classified by SophosLabs for the purpose of testing our web security and control products. Note that some pages are classified as potentially offensive or dangerous however the page content itself should be considered safe for viewing in all circumstances.
Sophos Sandstorm Test Files
These files enable testing and demos of Sophos Sandstorm on Sophos products enabled with Sandstorm. They are harmless files with active content that will trigger Sophos Sandstorm analysis.
SandStorm Test File 1
SandStorm Test File 2 (email only)
Sophos HIPS Test Files
These files enable testing and demos of Sophos behavior protection (HIPS) feature for endpoint products. The executable is a harmless file that will trigger a behavior-based Sophos detection HPmal/Eicar-A.
Sophos HIPS Test (zip)
Sophos HIPS Test (exe)
Adult or Sexually Explicit
Includes sites for adult products including sex toys, CD-ROMs, and videos; child pornography and pedophilia (including the IWF list); adult services including video-conferencing, escort services, and strip clubs; erotic stories and textual descriptions of sexual acts; explicit cartoons and animation; online groups, including newsgroups and forums that are sexually explicit in nature; sexually-oriented or erotic sites with full or partial nudity; depictions or images of sexual acts, including with animals or inanimate objects used in a sexual manner; sexually exploitive or sexually violent text or graphics; bondage, fetishes, genital piercing; naturist sites that feature nudity; and erotic or fetish photography, which depicts nudity.
Note: We do not include sites regarding sexual health, breast cancer, or sexually transmitted diseases (except those with graphic examples).
Advertisements and Pop-ups
Includes sites of banner ad servers, sites with pop-up advertisements, and sites with known adware.
Note: Sophos's advanced categorization data uses the most current technical definition for Adware, and thus recognizes the difference between non-malicious adware, such as 'cookies' and more serious Spyware.
Alcohol or Tobacco
Includes sites that promote or distribute alcohol or tobacco products for free or for a charge.
Anonymizers
Includes sites that operate proxy services, or offer proxy software, with the specific intent of defeating security and control.
Arts
Includes sites for museums, galleries, artist sites (sculpture, photography, etc.), performing arts (theater, vaudeville, opera, symphonies, etc.), dance companies, studios, and training; book reviews and promotions; and variety magazines and poetry.
Blogs and Forums
Includes sites of weblogs (blogs), newsgroups, and opinion or discussion forums.
Business
Includes general business corporate web sites, international and multi-national large general business corporate sites, business associations, and basic business sites, such as FedEx, that enable organizations to manage their necessary daily business tasks.
Note: Business sites that fit more appropriately into another related category, such as Finance or Travel, will be categorized in those categories.
Call Home
Includes sites identified to be used for command & control servers (callhome, C2) by malware running on infected computers.
Chat
Includes sites of web-based chat and instant message servers.
Computing and Internet
Includes sites of reviews, information, buyer's guides of computers, computer parts and accessories, computer software and internet companies, industry news and magazines, and pay-to-surf sites.
Criminal Activity
Includes sites for advocating, instructing, or giving advice on performing illegal acts; tips on evading law enforcement; and lock-picking and burglary techniques.
Custom
Includes sites categorized for use with a custom policy. For example, you could set sites that you want to be always approved by adding them to your local classifications list, and setting their Risk class to Trusted and their Site category to Custom.
Downloads
Includes sites for downloadable (non-streaming) movie, video or sound clips; downloadable PDA software, including themes and graphics; freeware and shareware sites; personal storage or backup sites; and clip art, fonts and animated .gif pages.
Note: This category does not include update sites such as those for operating systems, anti-virus agents, or other business-critical programs.
Education
Includes sites for educational institutions, including pre-schools, elementary, secondary, and high schools and universities; educational sites at the pre-school, elementary, secondary, and high school and university levels; distance education and trade schools, including online courses; and online teacher resources (lesson plans, etc.).
Eicar
The Standard Anti-Virus Test File.
Entertainment
Includes sites about television, movies, music and video programming guides; online magazines and reviews of the entertainment industry; celebrity fan sites; broadcasting firms and technologies (satellite, cable, etc.); horoscopes; jokes, comics, comic books, comedians, or any site designed to be funny or satirical; online greeting cards; and amusement and theme park sites.
Fashion and Beauty
Includes sites of fashion or glamor magazines, online beauty products, and cosmetics.
Finance and Investment
Includes sites for stock quotes, stock tickers, and fund rates; online stock or equity trading; online banking and bill-pay services; investing advice or contacts for trading securities; money management or investment services or firms; general finances and companies that advise about finances; and accountancy, actuaries, banks, mortgages, and general insurance companies.
Food and Dining
Includes sites for recipes, cooking instruction and tips, food products, and wine advisors; restaurants, cafes, eateries, pubs, and bars; and food and drink magazines and reviews.
Gambling
Includes sites of online gambling or lottery web sites that invite the use of real or virtual money; information or advice for placing wagers, participating in lotteries, gambling, or running numbers; virtual casinos and offshore gambling ventures; sports picks and betting pools; and virtual sports and fantasy leagues that offer large rewards or request significant wagers.
Note: Casino, hotel, and resort sites that do not feature online gambling or provide gaming tips are categorized under Travel.
Games
Includes sites for game playing or downloading, game hosting or contest hosting, tips and advice on games or obtaining cheat codes ('cheatz'), and journals and magazines dedicated to online game playing.
Government
Includes sites for local, state, federal and international government sites, and government services, such as taxation, armed forces, customs bureaus, and emergency services.
Hacking and Computer Crime
Web pages that provide 'how-to' directions, or otherwise enable, fraud, crime, or malicious activity that is computer oriented. Web pages related to computer crime include malicious hacking information or tools that help individuals gain unauthorized access to computers and networks (root kits, kiddy scripts). Also included are other areas of electronic fraud such as dialer scams and illegal manipulation of electronic devices. Illegal software does not fall under this category; see 'Illegal Software'.
Health and Medicine
Includes sites for prescription medicines; medical information and reference about ailments, conditions, and drugs; general health, such as fitness and well-being; medical procedures, including elective and cosmetic surgery; dentistry, optometry, and other medical-related sites; general psychiatry and mental well-being sites; psychology, self-help books, and organizations; promoting self-healing of physical and mental abuses, ailments, and addictions; alternative and complementary therapies, including yoga, chiropractic, and cranio-sacral; and hospital and medical insurance sites.
Hobbies & Recreation
Includes sites for recreational pastimes, such as collecting, gardening, and kit airplanes; outdoor recreational activities, such as hiking, camping, and rock climbing; tips or trends focused on a specific art, craft, or technique; online publications on a specific pastime or recreational activity; online clubs, associations, or forums dedicated to a hobby; traditional games, such as board games and card games, and their enthusiasts; and animal and pet related sites, including breed-specific sites, training, shows, and humane societies sites.
Hosting Sites
Includes web sites that host business and individuals' web pages, for example GeoCities, earthlink.net, and AOL.
Illegal Drugs
Includes sites for recipes, instructions or kits for manufacturing or growing illicit substances for purposes other than industrial usage; glamorizing, encouraging, or instructing on the use of or masking the use of alcohol, tobacco, illegal drugs, or other substances that are illegal to minors; information on 'legal highs', including glue sniffing, misuse of prescription drugs, or abuse of other legal substances; distributing illegal drugs free or for a charge; and displaying, selling, or detailing the use of drug paraphernalia.
Infrastructure
Includes sites for content delivery networks, XML reference schemas, web analytics and statistics services, transaction servers, and corporate image servers.
Intimate Apparel and Swimwear
Includes sites for lingerie, negligee, and other intimate apparel modeling; swimwear modeling; models' fan pages; modeling information and agencies; and fitness models and sports celebrities sites.
Intolerance and Hate
Includes sites that advocate or incite degradation or attack of specified populations or institutions based on associations such as religion, race, nationality, gender, age, disability, or sexual orientation; sites that promote a political or social agenda that is supremacist in nature and exclusionary of others based on their race, religion, nationality, gender, age, disability, or sexual orientation; holocaust revisionist or denial sites and other revisionist sites that encourage hate; coercion or recruitment for membership in a gang or cult; militancy and extremist sites; and flagrantly insensitive or offensive material, including those with a lack of recognition or respect for opposing opinions and beliefs.
Note: We do not include news, historical, or press incidents that may include the above criteria (except in graphic examples).
For the purposes of this category, a gang is defined as: a group whose primary activities are the commission of felonious criminal acts, which has a common name or identifying sign or symbol, and whose members individually or collectively engage in criminal activity in the name of the group. A cult is defined as: a group whose followers have been deceptively and manipulatively recruited and retained through undue influence such that followers' personalities and behavior are altered; a group in which leadership is all-powerful, ideology is totalistic, and the will of the individual is subordinate to the group; and a group that sets itself outside of society.
Job Search and Career Development
Includes sites of employment agencies, contractors, job listings, career information, career searches, and career-networking groups.
Kid's Sites
Includes child-oriented sites and sites published by children.
Malware
Includes sites identified to be hosting malicious content, representing a significant security concern.
Motor Vehicles
Includes sites for car reviews, vehicle purchasing or sales tips, and parts catalogs; auto trading, photos, and discussion of vehicles including motorcycles, boats, cars, trucks, and RVs; journals and magazines on vehicle modification, repair, and customization; and online automotive enthusiast club sites.
News
Includes online newspapers, headline news sites, newswire services, personalized news services, and weather sites.
Peer-to-Peer
Includes peer-to-peer file sharing clients and peer-to-peer file sharing servers.
Personals and Dating
Includes singles listings, matchmaking and dating services, advice for dating or relationships, and romance tips and suggestions sites.
Philanthropic and Professional Organizations
Includes sites of philanthropic and charity organizations, environmental organizations, professional associations, labor unions, and social organizations.
Phishing or Fraud
Includes sites involved in phishing and telephone scams, service theft advice sites, and plagiarism and cheating sites, including the sale of research papers.
Photo Searches
Includes sites that provide resources for photography, image searches, online photo albums, digital photo exchanges, and image hosting.
Politics
Includes sites for political parties; political debate, canvassing, election information, and results; and conspiracy theory and alternative government view sites that are not hate-based.
Proxies and Translators
Includes sites for remote proxies or anonymous surfing, search engine caches that circumvent filtering, and web-based translation sites that circumvent filtering.
Real Estate
Includes sites for home, apartment, and land listings; rental or relocation services; tips on buying or selling a home; real estate agents; and home improvement sites.
Reference
Includes sites for personal, professional, or educational reference; online dictionaries, maps, and language translation sites; census, almanacs, and library catalogs; and topic-specific search engines.
Religion
Includes sites of churches, synagogues, and other houses of worship; any faith or religious belief sites, including non-traditional religions such as Wicca and witchcraft.
Reputation
Includes files identified by Sophos as having a low or medium reputation.
Ringtones and Mobile Phone Downloads
Includes sites of providers of mobile phone downloads, including ringtones, logos, backgrounds, screensavers, and games.
Search Engines
Includes general search engines, such as Yahoo, AltaVista, and Google.
Sex Education
Includes sites with pictures or text advocating the proper use of contraceptives; sites relating to discussion about the use of the pill, IUDs, and other types of contraceptives; and discussion sites on how to talk to your partner about diseases, pregnancy, and respecting boundaries.
Note: Not included in the category are commercial sites that sell sexual paraphernalia. These sites are typically found in the Adult category.
Shopping
Includes sites for department stores, retail stores, company catalogs, and other sites that allow online consumer shopping, sites for online auctions, online downloadable product warehouses, specialty items for sale, and freebies or merchandise giveaways.
Society and Culture
Includes sites on home life and family-related topics, including weddings, births and funerals; parenting tips and family planning; non-pornographic gay, lesbian, and bisexual issues; foreign cultures and socio-cultural information; and non-explicit tattoo and piercing parlors.
Spam URLs
Includes URLs found in spam, particularly on these topics: computing, finance and stocks, entertainment, games, health and medicine, humor and novelties, personal and dating, products and services, shopping, and travel.
Sports
Includes sites for team or conference web sites; national, international, college, professional scores and schedules; sports-related online magazines or newsletters; and fantasy sports and virtual sports leagues that are free or low-cost.
Spyware
Includes sites that provide or promote information gathering or tracking that is unknown to, or done without the explicit consent of, the end user or the organization, including sites that carry malicious executables or viruses, third party monitoring, and other unsolicited commercial software, spyware, and malware 'phone home' destinations.
Note: The technical definition of Spyware used for this category may not exactly match the definition used elsewhere by Sophos. This category focuses on filtering malicious and tracking content, not simply adware and cookies. For non-malicious adware filtering, please block the Advertisements and Pop-ups category.
Streaming Media
Includes sites for streaming media files or events (any live or archived audio or video file), Internet TV and radio, non-explicit personal webcam sites, telephony sites that allow users to make calls via the internet, and VoIP services.
Tasteless or Offensive
Includes sites that feature offensive or violent language, including through jokes, comics, or satire, and excessive use of profanity or obscene gesticulation.
Travel
Includes sites of airlines and flight booking agencies, accommodation information, travel package listings, city guides and tourist information, and car rentals.
Violence
Includes sites portraying, describing or advocating physical assault against humans, animals, or institutions; depicting torture, mutilation, gore, or horrific death; advocating, encouraging, or depicting self-endangerment, or suicide, including through eating disorders or addictions; instructions, recipes, or kits for making bombs or other harmful or destructive devices; sites promoting terrorism; and excessively violent sports or games, including videos and online games.
Note: We do not block news, historical, or press incidents that may include the above criteria, except those that include graphic examples.
Weapons
Includes sites with online purchasing or ordering information, including lists of prices and dealer locations; any page or site predominantly containing, or providing links to, content related to the sale of guns, weapons, ammunition or poisonous substances; displaying or detailing the use of guns, weapons, ammunition or poisonous substances; and clubs which offer training on machine guns, automatics, other assault weapons, and sniper training.
Note: Weapons are defined as something (as a club, knife, or gun) used to injure, defeat, or destroy.
Web-Based Email
Includes sites for web-based e-mail accounts and messaging sites.
Learn more about our web security and control products at our main sophos.com website.
Update: Microsoft released new security updates for Exchange Server on April 13th (CVE-2021-28480, 28481, 28482, and 28483). The updates address bugs reported to Microsoft by the NSA and are considered urgent fixes that should be addressed immediately.
On March 2nd, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.
Sophos Website Checker Pro
What is HAFNIUM?
According to a CISA alert:
Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.
CISA also issued an emergency directive urging organizations to patch on-premises Exchange Servers and search their networks for indicators of attack.
For an overview of HAFNIUM, and advice on how you should respond, watch this short video from Mat Gangwer, the head of the Sophos Managed Threat Response (MTR) team.
For a deep dive into HAFNIUM and the steps you can take to address the threat, watch our recent webinar session:
For details of the Sophos protections against the exploitation of these vulnerabilities, click here.
UPDATE: Other threat actors are now taking advantage of the persistence established by Hafnium to conduct a range of attacks. One actor is installing a new ransomware variant called DearCry.
It is important to note that patching only protects your organization from being exploited by the vulnerabilities going forward. It does NOT ensure that an adversary has not already exploited the vulnerabilities.
What should you do?
1. Patch or disable
Patch all on-premise Microsoft Exchanged servers in your environment with the relevant security update. Details can be found on Microsoft’s Exchange Team blog.
If you are unable to patch, implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services. Details can be found in the Microsoft’s Security Response Center blog.
Sophos recommends you backup Exchange IIS/Server logs before patching and updating.
2. Determine possible exposure
Download and run the Test-ProxyLogon.ps1 script provided by the Microsoft Customer Support Services team to determine possible exposure. Details on interpreting the results of this script can be found in this Microsoft article, a few paragraphs into the “Have I been compromised?” section).
It is important to note that even with the patches installed, this will not address the presence of any malicious web shells. It is for this reason we recommend the use of Microsoft’s script to identify affected servers and look for the presence of web shells.
Test-ProxyLogon.ps1 can output multiple .csv files per Exchange server, depending on what it finds. These .csv files can be viewed in a text editor or spreadsheet application.
The script will look for evidence of each vulnerability being abused, creating a .csv per CVE. It will also look for suspicious files (which may be web shells) which should be reviewed, and calculate how many days back in the logs it can identify potential abuse of the vulnerabilities.
Our most common observations are related to output for CVE-2021-26855.
Hosts that may have been exploited by CVE-2021-26855 will be listed in the file [HOSTNAME]-Cve-2021-26855.csv
The “ClientIpAddress” column will list the source IP addresses of potential attackers.
The “AnchorMailbox” column will list a path to various applications running on Exchange that may have been targeted. To reveal what actions may have been taken by the attacker, you will need to extract the relevant application from AnchorMailbox.
e.g. for “ServerInfo~a]@[REDACTED]:444/autodiscover/autodiscover.xml?#” the relevant application is /autodiscover/
To determine what actions were taken by the adversary, you will need to look at the logs in %PROGRAMFILES%MicrosoftExchange ServerV15Logging{application}
e.g. %PROGRAMFILES%MicrosoftExchange ServerV15Loggingautodiscover
The “DateTime” column in [HOSTNAME]-Cve-2021-26855.csv will provide you with a timestamp when the potential exploitation took place, to use when referencing the log files.
3. Look for web shells or other suspicious .aspx files.
Web shells have been observed in the following directories:
- <volume>inetpubwwwrootaspnet_client
- e.g. C:inetpubwwwrootaspnet_client
- <volume>inetpubwwwrootaspnet_clientsystem_web
- <exchange install path>FrontEndHttpProxyowaauth
- e.g. C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth
- <exchange install path>FrontEndHttpProxyowaauthCurrent
- <exchange install path>FrontEndHttpProxyowaauth<folder with version number>
- <volume>inetpubwwwrootaspnet_client
Common names for these web shells include:
- (8 random letters and numbers)
- Regex: [0-9a-zA-Z]{8}.aspx
- aspnet_client.aspx
- aspnet_iisstart.aspx
- aspnet_www.aspx
- aspnettest.aspx
- discover.aspx
- document.aspx
- error.aspx
- errorcheck.aspx
- errorEE.aspx
- errorEEE.aspx
- errorEW.aspx
- errorFF.aspx
- healthcheck.aspx
- help.aspx
- HttpProxy.aspx
- Logout.aspx
- MultiUp.aspx
- one.aspx
- OutlookEN.aspx
- OutlookJP.aspx
- OutlookRU.aspx
- RedirSuiteServerProxy.aspx
- shell.aspx
- shellex.aspx
- supp0rt.aspx
- system_web.aspx
- t.aspx
- TimeoutLogout.aspx
- web.aspx
- web.aspx
- xx.aspx
4. Query with Sophos EDR
If you are using Sophos EDR, you can leverage the following example queries to identify potential web shells to investigate, check patch level of your servers, and look for suspicious commands from child processes of w3wp.exe (a Microsoft’s IIS web server worker process, used by Exchange).
When reviewing the potential web shells identified by the queries, the web shell will typically appear inside an Exchange Offline Address Book (OAB) configuration file, in the ExternalUrl field. E.g.
5. Establish impact
Review process activity and command executions from the time the web shell was created, onwards. Investigate w3wp.exe (the IIS web server worker process) activity and any instances of csc.exe (C# compiler) running as a child process. This should gleam trailheads to establish impact. The following Sophos EDR Live Discover query will aid you indentifying activity of this nature.
Sophos Website Check
How Sophos Managed Threat Response (MTR) can help
Threat such as HAFNIUM are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and response experts.
When the HAFNIUM news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if there was any activity related to the attack. Additionally, they also looked to uncover any new artifacts or IoCs related to the attack that could provide further protection for all Sophos customers.
Sophos Website Checker Download
The 24/7 nature of Sophos MTR meant that not a single second was wasted before the team got to work, ensuring our customers were protected.
SophosLabs has also published detections related to the known activity and IOCs related to the Exchange vulnerability. This is in addition to previous protections already in place to detect post-exploit activity.
Sophos Blocking Websites
Concerned about HAFNIUM? Contact Sophos MTR today to ensure that any potential adversarial activity in your environment is identified and neutralized.