ATP Exceptions is not working

Question

Hello everyone, I have a problem with two FW (one on Azure, one XG) 
 We have a lot of detections like this (ATP)

We saw that this URL centos.brontocdn.com is legit and it's an official Centos Repo. I allowed it here :

But both FW are still throwing the ATP detections.. And we are spam by email 
 
 Maybe I'm doing it wrong ? Thanks for the help Regards 
 Alexandre

Matthew Ritchie · Answer

So, there is something particularly "fishy" about that URL, if you visit https://intelix.sophos.com and run it through the URL, you will notice that it comes back as Spyware & Malware. Labs is assessing what the core issue is here, but there is some obfuscated code there that would indicate something is off. ATP is protecting you from accesing that site, and if you bypass it, Intercept X is going to flag it as "Hacking".

Matthew Ritchie · Answer

So Firewall and Endpoint are doing exactly what they should, they are protecting you from a potential breach situation. This site has likely been compromised, and you should avoid using it until certain it is clear. You can verify this by running it through https://intelix.sophos.com 
 centos.brontocdn.com - SiteCheck (sucuri.net) 
 Multiple other vendors all flagged this as compromised, and Sophos Firewall is preventing your access to it.

Michael Dunn · Answer

The site "brontocdn.com" is considered bad by ATP. ATP has multiple enforcement points - web proxy, DNS, and IPS. ATP exceptions have some non-obvious rules about left side wildcarding, and it might actually be different for the different enforcement points. If you also add a Threat Exception for "brontocdn.com" I suspect it will start working. That being said - you are taking a risk by accessing a known bad site. Some googling: https://doublepulsar.com/magecart-new-tactics-leading-to-massive-unreported-fraud-5211c9883dea

ATP Exceptions is not working

Top Replies