ATP Exceptions is not working

Hi Alexandre,

Have you checked if IPS or Web Filtering is blocking the said URL? centos.brontocdn.com

Cheers,

Hi,

This is the type of message that we receive

So I believe that it's triggering ATP, only ?

Regards

Hello,

Other security features of SF might be also triggering the block/deny on the said URL such as IPS and Web filter. Kindly see logs of those modules and check if there's any hit on deny for this specific website.

Thanks!

Cheers,

For Intrusion Attack nothing ..

IPS

And Web Filter

Hello, 

Thanks for sharing this, On your Web Filter logs you may try to adjust time filter to Last10mins up to 4hours or on the search button on upper right you can directly type in centos.brontocdn.com and make sure logging is on in the firewall rule

I tested the link on my SF and it has been detected as Spyware and therefore blocked as per my Web Filter Rules: 

It seems the said link is a CDN link for CentOS. Could you clarify if this is detection is same on your end? and If your Web Filter rules also blocks this specific category? Also can you confirm what SFOS version you are running?

If you have tried testing this via Policy Tester which is under Log Viewer > Policy Test and produced the same result and believe that this is a legitimate website:

You may create an exception for this: docs.sophos.com/.../index.html

And also file this to SophosLabs for submission: support.sophos.com/.../filesubmission

Hope this helps. Thanks for your time and patience and thank you for choosing Sophos

Cheers,

Hello, 

Thanks for sharing this, On your Web Filter logs you may try to adjust time filter to Last10mins up to 4hours or on the search button on upper right you can directly type in centos.brontocdn.com and make sure logging is on in the firewall rule

I tested the link on my SF and it has been detected as Spyware and therefore blocked as per my Web Filter Rules: 

It seems the said link is a CDN link for CentOS. Could you clarify if this is detection is same on your end? and If your Web Filter rules also blocks this specific category? Also can you confirm what SFOS version you are running?

If you have tried testing this via Policy Tester which is under Log Viewer > Policy Test and produced the same result and believe that this is a legitimate website:

You may create an exception for this: docs.sophos.com/.../index.html

And also file this to SophosLabs for submission: support.sophos.com/.../filesubmission

Hope this helps. Thanks for your time and patience and thank you for choosing Sophos

Cheers,

Hello

Thanks for the info 

This is all records and the URL

So I'm using SFOS 19.5 GA

I tried with Policy Test

That's weird 

And I tried this too

But still the same ATP error throwing

Regards

Alexandre

So, there is something particularly "fishy" about that URL, if you visit https://intelix.sophos.com and run it through the URL, you will notice that it comes back as Spyware & Malware.  Labs is assessing what the core issue is here, but there is some obfuscated code there that would indicate something is off.  ATP is protecting you from accesing that site, and if you bypass it, Intercept X is going to flag it as "Hacking".

Ok I understand, but now my ATP is off because it is spamming with that block..
And with the exception, ATP is still throwing the block

My CentosVM are trying to update from this repos so I don't know what to do, maybe disable email notification for now

If you are reporting into Central, then you can eliminate the duplicate "email" notification by unchecking the Email alert in Administration > Log Settings > [Advanced Threat Protection]

May need to try a few alternatives for your CentOS until resolved.

Ok I'll do it
Thanks for the help