This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat warnings but no internal sources listed - confused

Hi folks,

A little confused.  I keep getting warnings for threat detection:

Advanced Threat Protection

 

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

 

Details about the alert:

 

Threat name....: C2/Virut-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Virut-A.aspx

Time...........: 2017-07-12 04:37:24

Traffic blocked: yes

Source IP address or host: 54.84.67.222       

 

System Version     : Sophos UTM 9.501-5

 

When I check in my logs to see what internal host is communicating I see nothing but external reported - how is this happening and how can I track and kill off whatever is happening here?

Would appreciate any insight or advice!!.


Thanks

Chris



This thread was automatically locked due to age.
  • ATP does not provide the logs that I would expect.   I think on the few occasions that I have had an ATP alert, the IPS logs were the most helpful, and they are usually short.  Also use the log search tool to look for that IP address in the webfilter logs.

    The alert CAN mean that a PC is infected and UTM detected that it was trying to connect to a command and control site.  If this is the case, the PC needs to be taken off the network

    It can also mean that the user browsed to an infected website, the website had embedded content which silently tried to connect to a hostile site, which UTM blocked, and therefore the PC is unaffected.

    It can also mean that the PC performed a DNS lookup an a *.TK domain name, which UTM considers high risk, for good reason.   UTM blocks the lookup so that your PC never connects to the possibly-hostile IP address associated with that name.   Again, UTM blocks the lookup so your PC is unaffected.

  • Thank you, I'll dig deeper in the other logs!

  • You are right, something is requesing a DNS lookup to my local DNS server which is then going out to an external DNS to resolve it and the UTM shuts it down.  Pointers on how I can track the initial DNS request though, that has me stumped.

    Thank you for pointing me in the right direction with the log file, now I'm at least onto something!

  • Hi, Chris, and welcome to the UTM Community!

    Do you have anything in DNS 'Allowed Networks' other than the "Internal (Network)" object?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA