The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.


"Wanna" ransomware outbreak. Please see this Sophos article for advice on how to protect your organization. Immediate action recommended.

"High Risk Website Blocked" by Endpoint protection

Since Tuesday my Sophos Portal at xxx.dns.army:443 is classified by the latest Endpoint protection as "high risk website" and I can not log in. Website protection is not even turned on in the endpoint.

This is rather anoying, the portal of the UTM should never be flagged as high risk.

  • Hello Andreas Wolter,

    website protection is not even turned on
    you say that Sophos (which version) on an endpoint (which OS) is blocking this URL even though Web Protection is disabled?

    I'm not sure what your question actually is (and whether you have one). High risk website is just the caption, and the URL you've posted is likely not the actual URL. And anyway Endpoint can't tell it's your UTM's portal.

    Christian

  • In reply to QC:

    I did not ask a question, I gave a feedback. And High risk website is not just a caption, it is a block, the site does not load and I assume it is because of the dns.army  domain (which is provided by a dyndnsV6 provider and sure I did not post my real domain here) . Nothing changed in the settings of the client or the firewall, so I can only assume it was due to some pattern updates.

    I do not host anything on this domain besides the portal for VPN so it is highly unlikely that my subdomain has landed on a blacklist and blocking something like dyndns.org seems absurd.

  • In reply to Andreas Wolter:

    Hello Andreas Wolter,

    I'm not Sophos, just to make sure, and I just assumed you want a solution that's why I've asked what the question could be.
    When I said caption I referred to the fact that there is additional text with a detection name like Mal/HTMLGen-A or JS/DwnLdr-QQO.

    I still don't understand the feedback part or what Sophos should (could) do with it. It's likely updates and you could call them pattern updates, from your description I assume (but can't confirm) that the URL or the IP got listed. How this came about (and whether or not Sophos has done something absurd) is impossibly to say without the details.

    Christian

  • In reply to QC:

    Christian, as far as I understood, this is the community feedback part of the forum.

    As for the caption, it was just a small pop-up in the lower right corner, it said nothing about what kind of threat.

    I reinstalled an old version of endpoint protection, blocked the updates and it does not behave like that.

     

    As for the "absurd"...since I am not hosting anything besides my Sophos portal (which I really doubt is an high risk website), I must assume that the whole domain got blocked. I could understand blocking a subdomain, but surely not the whole domain of a dyndns provider.

    And as far as I read, this "problem" pops up every once in a while. In this case it happened to my private connection, but what should I tell my customers when it happens to theirs?

    "I know your business depends on it but wait a few days till I sort it out with Sophos"?!

    Next license renewal around they will rather choose something else.