SonicWall warns web content filtering is broken on Windows 11 22H2


Security hardware manufacturer SonicWall warned customers today of what it describes as a “limitation” of the web content filtering (WCF) feature on Windows 11, version 22H2 systems.

SonicWall’s Capture Client is the company’s Windows and macOS security solution with Endpoint Detection & Response (EDR) capabilities that can be managed using the company’s Cloud Management Console service.

The WCF feature allows admins to configure policies that allow or block access to various domains/IP addresses, enable web activity reporting for easier monitoring, and throttle bandwidth.

“We have identified an inconsistency in Capture Client Windows 3.7.6 and older clients on endpoints running Windows 11 version 22H2,” the company said in an advisory published on Wednesday.

“This results in Web Content Filtering (WCF) policies that enforce blocked categories to be no longer effective on impacted endpoints. The ability to allow or block domains/URLs using custom lists continues to function normally.”

Since category-based blocking (used to restrict access to inappropriate, illegal, or malicious web content) is broken, Windows 11 22H2 users can open websites and domains under previously blocked URL categories, exposing themselves and their enterprise environment to potential risks.

SonicWall Web Content Filtering
SonicWall Web Content Filtering UI (SonicWall)

​The service is broken because the encrypted and decrypted requests and responses exchanged between Windows endpoints and SonicWall Content Filtering Service are sent using Microsoft’s Cryptographic Application Programming Interface (CryptoAPI).

However, as SonicWall further explains, “in Windows 11 version 22H2, Microsoft CryptoAPIs have been modified, making Capture Client unable to decrypt responses from the SonicWall Content Filtering Service.”

The company says it’s currently working on a fix for this issue which will be made available with the release of Capture Client 3.7.7 for Windows on February 17th. 

SonicWall also provides a workaround that requires admins not to update Windows endpoints in their environment to the latest Windows 11 version, which breaks content filtering.

“As a temporary workaround, we recommend endpoints running Windows 11 not be upgraded to version 22H2 until Capture Client 3.7.7 for Windows is available,” SonicWall said.

Source: BleepingComputer