We'd love to hear about it! Click here to go to the product suggestion community
Almost all of our customer UTMs did generate an ATP alert for IP Address 126.96.36.199. It starts around 16:00 (I received ~7 alert mails per UTM)
Was there a pattern update? False positive? Any Infos about that?
Me too, massive alerts from dozens of UTM
also here on machines with pattern 160216.
Looks like a false positiv, because the IP is used for Windows-updates...
Same here on our UTM.
All started after the following;
Installing up2date package: /var/up2date/aptp/u2d-aptp-9.32631-32632.patch.tgz.gpg
Also getting the following IP's now;
188.8.131.52 and 184.108.40.206
220.127.116.11 and 18.104.22.168
Sometimes I think security products are more something like Snake Oil... "We just think, we are super secure"...
all customers with sg got this ATP message!!!
In reply to Crag:
I'm fairly sure this is related to Windows updates. I have 2 UTMs reporting the same Threat name....: C2/Generic-A
My patterns are at: 160216 I have 2 pending firmware updates.
2019:04:04-16:02:27 h******er-utm named: rpz: client 192.168.*.5#52967 (ctldl.windowsupdate.com): view default: rpz IP NXDOMAIN rewrite cs11.wpc.v0cdn.net via 22.214.171.124.93.rpz-ip.rpz
Same alarms here (from many computers) . Seems to affect many users out there. The post has hos several hundred views within a few minutes.
Any response from Sophos?
Yep here too!
Started at precisely 16:05 CEST today and is still trickling in slowly, even though everybody else have gone home...
UTM version: 9.601-5Pattern version: 160221
EDIT: Located in Denmark, Europe
We are seeing the same.
Firmware version: 9.601-5Pattern version: 160222
In reply to Marcus Lively:
Where is everyone located? The 126.96.36.199 IP address that was posted is in the UK it looks like. Is this affecting Europe via Windows Update? I'm in Eastern Canada and haven't received anything.
In reply to Joshua Van Buskirk:
We have checked from our end and have determined that it is a false positive. We are working on this issue and should be fixed with the next available pattern update.
In reply to Aditya Patel:
Sophos has updated the pattern version and the IP should no longer be blocked. Customers are requested to perform a manual pattern update to verify this.
More info available in the published advisory article.
In reply to FloSupport:
This had me checking for a while. Appreciate the fast response and appreciate the users of the forum coming on here straight away to report.
Many thanks to the OP for the clear thread title too
Thank you for the update and link to the relevant advisory article.
We also experienced this issue for approximately 2 hours on 4th April 2019 (3.15pm - 5.25pm GMT).
Good work on a prompt resolution.