Any experience with an excessive number of ThunderVPN hits?

The issue is under review of Sophos Labs. 

Thank you.  There was a pattern update this AM to 18.18.58 but it didn't seem to address this.  Please keep us up to date.

You need to perform both on the advanced Shell. Option 5 / 3. 

I've got a pcap file and the output from the conntrak command.  How can I get them to you?

You can send me a PM.

I have the same problem. Every day 2-3K blocked connections due to ThunderVPN but I don't have this software installed on any device. The connected devices are an iPhone. Please help.  

Hi folks,

there appears to be some progress on this issue, while still seeing thundervpn in the daily report and the GUI, I am also seeing NTP  as being reported correctly in the daily reports.

The daily reports usually take at least 24 hours to catchup. I will investigate further.

Ian

Let me know what you did differently, I'm not seeing any dramatic improvement.  When I used the App rule to block level 5 (which I do) I see tens of thousands of Thunder VPN (Port 123) block exceptions every day.    I'm at 18.18.60.  So much that it impairs a number of IoT devices that depend on this.  I had to put a Thunder VPN App allow rule in to stabilize my system.  Would be REALLY NICE to see Sophos fix this.   Thanks

Those pattern are created by Sophos Labs. Therefore it is currently under investigation. If you have a pcap (Packet capture) of this NTP traffic, feel free to submit this: support.sophos.com/.../filesubmission

Hi,

I spoke too soon, today's report shows thundervpn thundering along and ump 123 back to unclassified. The interesting thing about this is on  my system it only affects the apple devices. The NTP server has its own rule and that traffic is not classified as thundervpn. I suppose I could disabled the IPS on the internal rules to remove the incorrect reporting.

Ian

The really stupid thing is not all NTP traffic is classified as thundervpn.

LuCar Toni - I sent you a PM on 10/6 with a pcap attached as well as a conntrak that captures this traffic.  Did you not get my PM?

I forwarded this pcap to Labs. But they have to analyze the traffic and find the root cause. More pcaps submitted by the process above would be helpful to find the pattern. 

I forwarded this pcap to Labs. But they have to analyze the traffic and find the root cause. More pcaps submitted by the process above would be helpful to find the pattern. 

I see, ok.  I submitted last night the same pcap and conntrak files at the file submission link you shared above.  It created a case (04501211).  Over night it was looked at and closed.  The comments for each file were "not detect-worthy" ... and the overall comment was "This means that after investigation and analysis of the file SophosLabs has come up to a result that the sample submitted is not malicious, not showing any malicious behaviour and properties."

I don't know what else to do here.  I opened a support case on this issue earlier in October.  After about 4 days I finally talked to a tech and he went down the workaround route for the issue for the time being, which I have done.  That case (04447658) was then closed.

It seems pretty straightforward here to me.  Someone at Sophos Labs needs to go back and see what changes were made in the 18.18.56 IPS/App signatures on 9/23 and roll them back with respect to NTP traffic on UDP/123 and Thunder VPN.  Why someone would blanket presume that well known UDP port 123 NTP traffic was Thunder VPN is beyond me.  I have multiple client devices on my network unable to get NTP updates with this issue present.  I have Apple products, I have Microsoft products, I have other IoT devices, I have Hikvision security cameras.  Heck, I can reproduce this AT WILL with my Apple MacBook Pro laptop.  There is no Thunder VPN in my network.  My Hikvision cameras do not have Thunder VPN on them.  But yet all ~35 endpoints on my network can't get NTP updates with this IPS/App filter post 18.18.56.

Feel free to take these two case numbers back internally and see what else you can do.  I appreciate the help as I don't know what else I can as a support paying Sophos XG customer.  But I'll tell you, this support experience (frankly it's my first real one) isn't leaving me with a positive impression.

Did you create a Submission or a Application Control Submission?
BTW: ThunderVPN uses Port 123 to connect. It is a cheap way to hide behind port based app controls. 

I submitted it as "Application Control" ... was that incorrect?  Should I choose "Sample File" instead?  Thanks for the added info on how Thunder VPN uses ports.