Advanced Threat Protection triggering on alpha.isp-platform.com?

Devices in use: sg105, sg135, sg430

Firmware v9.505-4

Late yesterday all my UTMs started sending notification of attempts to contact a known malware C&C server. The advanced threat protection alert describes the attempted domain name as alpha.isp-platform.com. That DNS name translates to IP 192.81.134.54. Can anyone else corroborate this? I can not find any indication via web search that this is a malicious server. Is this a legitimate problem or a false positive by Sophos?

Thanks,

D

  • I get the same alerts in my Advanced Threat Protection log when attempting to access the site/just performing a DNS lookup for it.

    isp-platform.com
    drop
    21:31:35 DNS C2/Generic-A
    192.168.0.41

    alpha.isp-platform.com
    drop
    21:32:06 DNS C2/Generic-A
    192.168.0.41

    alpha.isp-platform.com
    drop
    21:32:09 DNS C2/Generic-A
    192.168.0.41

    alpha.isp-platform.com
    drop
    21:32:09 DNS C2/Generic-A
    192.168.0.41

    alpha.isp-platform.com
    drop
    21:32:09 DNS C2/Generic-A
    192.168.0.41

    alpha.isp-platform.com
    drop
    21:32:09 DNS C2/Generic-A
    192.168.0.41

    alpha.isp-platform.com
    drop
    21:32:14 DNS C2/Generic-A
    192.168.0.41


    I assume it is or has been dodgy in the past.

    From the Support page:
    https://secure2.sophos.com/en-us/support/contact-support.aspx

    Submit a sample -> Web address and then enter the details.  The Labs can then provide more details.

    Regards,

    Jak

     

  • In reply to jak:

    Thanks for double checking Jak. I've got 3 domain controllers that keep trying to resolve it so the notifications are getting a bit spam-ish. I'll submit the server to the lab and see what comes of it before making any exceptions to the advanced threat protection.

    Thanks much,

    D

  • In reply to Donovan Valinske:

    Hi Donovan, and welcome to the UTM Community!

    You will want to check he DNS logs in those DCs to see which client machines are requesting name resolution for this.  I would run malware checks on each one, not the DCs.

    Cheers - Bob