Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 42 subscribers
  • Views 8528 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

An attempt to communicate with a botnet or command and control server has been detected.

Ioannis Kokkinis1

hi,

can sophos please advise on how to troubleshoot this kind of errors ?

this alert comes to administrators/clients and looks severe

when you click show more info in central there is no more info

when you go in the XG or XGS in advanced threat protection, most of the times there is no mention of a botnet and in most cases the threat ip is 8.8.8.8

please advise on how we troubleshoot this kind of error.



This thread was automatically locked due to age.
  • 0

    A process try to resolve the name of an malicious server (or try to resolve an unknown server and get back the IP of a malicious server)
    Sophos blocks this attempt.

    No problem if this is a single event.
    But the same event every 20 min, 2 hours or daily ... you should investigate.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Geiasou Ioannis and welcome to the UTM Community!

    Please insert a picture of the warning you receive.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    My point is that since i am receiving an alert like this, and the client receives a copy of this alert, I need to be able to trace it to the exact source. the current alerting does not lead to the source of the alert .

    please suggest the correct path to troubleshoot this kind of alerts, from alert to device in my network that triggered it.

  • 0 in reply to Ioannis Kokkinis1

    if 192.168.254.92 is a DNS server, you should check in the DNS servers debug logs, which client is requesting the IP 208.100.26.245. Then analyze the client for compromize.

    if 192.168.254.92 is a client computer, this machine should be checked for compromize / malware.

    also check the IPS logs.

    on UTM we often notice ATP alerts like above and in IPS you could find the exact URL reqested by a client.

    www.abuseipdb.com/.../208.100.26.245

Unfiltered HTML