This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block a particular user?

I know this should be obvious, but what's the best way to block a user until they clean up their computer?

We've got a user at address 192.168.0.143 with multiple threats showing in Advanced Threat Protection, such as:

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

This is a user on a guest wifi network connected to an SG 135.

 

Presumably I could block based on IP Address, how would I do that?

 

But even if I did that couldn't the user just change their IP address?

 

Could I block based on MAC address, and if so, how would I do that?

 

Thanks, Martin



This thread was automatically locked due to age.
  • Hi Martin, 

    I will recommend to disconnect the system from the network completely and execute a full scan through a Anti Virus software to clean the system.

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • sachingurung said:

    Hi Martin, 

    I will recommend to disconnect the system from the network completely and execute a full scan through a Anti Virus software to clean the system.

    Thanks,

     

    Not that simple unfortunately, it's a device on a guest wifi subnet, guests come and go.

    This is what the Sophos UTM should do:

     

    1. click on a device and click “Block”

    2. It should then present the user with a message saying why it was blocked.

    3. It should block the device by MAC address so the user can't change their ip address, or someone else gets that ip address in future.

    4. When the user does a complete clean up, then it should be possible to one click unblock it.

  • This request is not as simple as it seems, Martin.  Certainly, you can create a MAC Address object for the device, create a rule like 'Guest (Network) -> Any -> Any : Drop if from {MAC}'.  If you're also allowing the guest network to use Web Filtering, you will want to ask a similar question in that forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob, I'll have a go at that this week :)