[HIGH] Alert for Sophos Central [WRET CORP]: A malware outbreak was detected (False Positive)

Question

Apr 10, 2023 12:25 PM 
 
 'https://142.251.16.132/' blocked due to category 'Advertisements & Pop-Ups'

What happened: We made more than 100 detections in 24 hours. 
 Where it happened: WRET1675 
 A couple of weeks ago I made a change to allow a couple of websites as excluded in our Global Policy. I also made an exception to allow the category of proxy websites in Sophos Central Endpoint Protection -> Policies -> Base Web Control. 
 I changed only what I needed to and didn't touch any other settings and now I keep getting dozens of alerts per machine of information alerts whenever websites are blocked on the web. Once these informational alerts exceeded 100 on a machine I got a malware outbreak alert email. How can I stop these informational alerts from appearing in the dozens per device?

Qoosh · Answer

Hi Marvin , 
 Thanks for reaching out to the Sophos Community Forum. 
 The only way to prevent an information alert from being generated would be to reclassify the detected IP address so that it&rsquo;s part of an "Allowed" category though this may not be ideal. 
 I'd suggest using the developer tools option (F12) in the web browser to view the "Network" tab. This will allow you to see what is being loaded into the webpage when the detected IP address is accessed. If you find that the elements which are being loaded into the browser related to the IPs are acceptable, it may be ok to reclassify the IP address. This can be done via "Website Management" in Sophos Central. 
 Performing a quick check online, this appears to be related to Google Ads

[HIGH] Alert for Sophos Central [WRET CORP]: A malware outbreak was detected (False Positive)

Top Replies