Massive ATP Alerts? AFCD/iptables IP 93.184.221.240

Me too, massive alerts from dozens of UTM

Hello,

also here on machines with pattern 160216.

Looks like a false positiv, because the IP is used for Windows-updates...

https://www.virustotal.com/#/ip-address/93.184.221.240

Same here on our UTM.

All started after the following;

Installing up2date package: /var/up2date/aptp/u2d-aptp-9.32631-32632.patch.tgz.gpg

Edit:

Also getting the following IP's now;

72.21.80.5 and 72.21.80.6

192.229.254.5 and 192.229.254.6

Sometimes I think security products are more something like Snake Oil... "We just think, we are super secure"...

all customers with sg got this ATP message!!!

I'm fairly sure this is related to Windows updates. I have 2 UTMs reporting the same 
Threat name....: C2/Generic-A

My patterns are at: 160216 I have 2 pending firmware updates.

2019:04:04-16:02:27 h******er-utm named[4500]: rpz: client 192.168.*.5#52967 (ctldl.windowsupdate.com): view default: rpz IP NXDOMAIN rewrite cs11.wpc.v0cdn.net via 32.240.221.184.93.rpz-ip.rpz

Same alarms here (from many computers) . Seems to affect many users out there. The post has hos several hundred views within a few minutes.

Any response from Sophos?

Yep here too!

Started at precisely 16:05 CEST today and is still trickling in slowly, even though everybody else have gone home...

UTM version: 9.601-5
Pattern version: 160221

EDIT: Located in Denmark, Europe

We are seeing the same.

Firmware version: 9.601-5
Pattern version: 160222

Where is everyone located? The 93.184.221.240 IP address that was posted is in the UK it looks like.  Is this affecting Europe via Windows Update? I'm in Eastern Canada and haven't received anything.

Regards,

Josh