This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does Intercept X also block connections to Botnets?

Today our Sophos firewall Advanced Threat Protection rule was triggered by an attempt to connect to a Botnet. The internal IP was an IPhone 10 connected to the protected WIFI guest network trying to connect to an external IP address that triggered the Sophos firewall.

The employee said he was trying to open a whatsapp video on his private IPhone and forwarding it which didn't work. I warned him that his phone was trying to connect to an IP address associated with a RF domain/company and also comes up as associated with Stuckworm. I advised him to update his IOS to 17.4 and download Intercept X free. Company policy is to use IPhones because it used to be more safe.

We do not manage private phones and allow limited protocol connections to the internet using a protected closed off WIFI guest network while they are in the office.

My question is this: would Intercept X have detected this attempt to connect to a Botnet? Our Firewall did. But what if he uses 5G or his home WIFI? 

Anyone familiar with how watching a video in whatsapp can be misused? I've not witnessed it myself so I have to take his word for it that this was what triggered our firewall. It seems more lickely he clicked a link he received. 

Will try to get him to let me have have a look at his phone tomorrow :-;



This thread was automatically locked due to age.
  • Hello Fred,

    Thank you for reaching out to the community forum.

    Yes, our Sophos Intercept X for mobile will be able to detect this, provided they set up the Threat defense after installation on his device. However, since it was free, It will only be promoted to his phone and not in your manage dashboard. 

    Refer to this documentation related to our free version of Intercept X mobile.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks, I was not sure about the operation of Intercept X on Mobile devices.

    It turns out it wasn't a whatsapp video but a website where the user tried to login to confirm an appointment. This failed due to the firewall detecting the russian botnet server. The next day when I tried the website with him the firwall did not detect the russian botnet server anymore so the website admins must have detected the website compromise and removed it.