This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TCP-Over-DNS Traffic Evasion Application Detection

Hello,  We are getting a lot of Alerts on our Palo Alto Firewall that is saying TCP-Over-DNS Traffic Evasion Application Detection. 

The reason I'm asking this here is the firewall is saying the traffic is coming from Sophos-live-protection.

I was hoping someone would know if the Sophos Central Endpoints send TCP Packets over DNS?  If it does, then we can ignore these alerts.

Thanks for your help



This thread was automatically locked due to age.
Parents
  • Hi Shawn, 
     
    Our product uses the port 80 and 443 for the client-server communication. In the above mentioned scenario I suspect there should be a proxy application running on the machine which could possibly be the reason for the alerts, could you also check the system if there is any application that commutes over TCP 53? and if you suspect the issue with our AV, please disable the AV and try again with the same applications installed.
     
    Haridoss S

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • Hi Shawn, 
     
    Our product uses the port 80 and 443 for the client-server communication. In the above mentioned scenario I suspect there should be a proxy application running on the machine which could possibly be the reason for the alerts, could you also check the system if there is any application that commutes over TCP 53? and if you suspect the issue with our AV, please disable the AV and try again with the same applications installed.
     
    Haridoss S

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
  • Haridoss,

     

    Thanks for your response!  I opened a ticket with your support and they provided this from the documentation.  Thanks again for your help.

    See the below information on Sophos Live Protection:

    How does it work?

    LiveProtection will perform a lookup for any file it suspects of being malware; the following events will trigger a lookup

    • Whenever a file is added to the endpoint’s quarantine manager.
    • Whenever reported internally by the anti-malware engine that a file is deemed suitably suspicious.
    • Whenever reported internally by anti-malware engine that a file is to be checked against a allow list defined by SophosLabs. (The allow list is maintained by SophosLabs and contains a list of common and system files which the product should cache to improve performance.)

    Lookups - further information

    LiveProtection performs a lookup to ensure the most up to date protection as new information could have been discovered about the file since the last time it was scanned.

    Lookups contain a limited amount of information and are designed to help SophosLabs analysts to package up specific malware related information (such as function bytes or other properties required) to increase accuracy of detections.

    Lookups are performed over DNS and the average endpoint perform a large number lookups per day depending on the level of activity. During scheduled and on-demand scans the number will increase as all files on the system will be accessed which triggers an increased number of lookups compared to normal operations.