Whitelisting the Sophos domain to enable automatic sample submission

Issue
The automatic sample submission feature that is part of Sophos Online Scanning allows samples of malware and suspicious files to be sent to Sophos Labs for analysis and considerably speeds up the logistics of this process. However, if clients use a security proxy with AV features to access the Internet, although the data uploaded is encrypted, it's possible that the upload will be blocked as suspicious.

Technical background
If automatic sample submission is enabled and the SXL response requires a sample of the file that triggered the detection, the file is packaged into an encrypted envelope and uploaded via HTTP POST to an address crafted as follows:

http://<cachebuster_random_string>.<hash_of_the_file>.5.samples.sophosxl.net/<filename>

where

• <cachebuster_random_string> is a randomly generated string that avoids DNS caching from being used
• <hash_of_the_file> is a hash of the file being uploaded
• <filename> is the hash of the file again
  

What to do

In order to avoid the upload being blocked as suspicious you must ensure that access to the domain samples.sophosxl.net is always allowed by the proxy. Ways to accomplish this task vary much based on the type of software or device used.

As an example instructions to configure this way the Sophos Web Security Appliance are included.

1. Log into the WSA
2. Click on Configuration
3. Select Group Policy -> Local Site List
4. Click on the Add Site button
5. Enter "samples.sophosxl.net" in the text field
6. Select the checkbox to override the risk class and set the dropdown to "Trusted"
7. Click Save