Thread Info
  • State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 4084 views
  • Users 0 members are here
Options
Suggested

[HIGH] Alert for Sophos Central [WRET CORP]: A malware outbreak was detected (False Positive)

Marvin Mathieu
Apr 10, 2023 12:25 PM
'https://142.251.16.132/' blocked due to category 'Advertisements & Pop-Ups'

What happened: We made more than 100 detections in 24 hours.

Where it happened: WRET1675

A couple of weeks ago I made a change to allow a couple of websites as excluded in our Global Policy. I also made an exception to allow the category of proxy websites in Sophos Central Endpoint Protection -> Policies -> Base Web Control.

I changed only what I needed to and didn't touch any other settings and now I keep getting dozens of alerts per machine of information alerts whenever websites are blocked on the web. Once these informational alerts exceeded 100 on a machine I got a malware outbreak alert email. How can I stop these informational alerts from appearing in the dozens per device?



Added TAGs
[edited by: Gladys at 4:58 AM (GMT -7) on 12 Apr 2023]
Parents
  • 0

    Hi Marvin,

    Thanks for reaching out to the Sophos Community Forum.

    The only way to prevent an information alert from being generated would be to reclassify the detected IP address so that it’s part of an "Allowed" category though this may not be ideal. 

    I'd suggest using the developer tools option (F12) in the web browser to view the "Network" tab. This will allow you to see what is being loaded into the webpage when the detected IP address is accessed. If you find that the elements which are being loaded into the browser related to the IPs are acceptable, it may be ok to reclassify the IP address. This can be done via "Website Management" in Sophos Central. 

    Performing a quick check online, this appears to be related to Google Ads

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • 0

    Hi Marvin,

    Thanks for reaching out to the Sophos Community Forum.

    The only way to prevent an information alert from being generated would be to reclassify the detected IP address so that it’s part of an "Allowed" category though this may not be ideal. 

    I'd suggest using the developer tools option (F12) in the web browser to view the "Network" tab. This will allow you to see what is being loaded into the webpage when the detected IP address is accessed. If you find that the elements which are being loaded into the browser related to the IPs are acceptable, it may be ok to reclassify the IP address. This can be done via "Website Management" in Sophos Central. 

    Performing a quick check online, this appears to be related to Google Ads

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data
Unfiltered HTML