v21 Third Party Feeds

After testing TF a while I think this is a good feature, focusing on the needs of the user.

Right now we're having some trouble with DNS requests made by browsers to random IPs from AWS, Google, Cloudflare on a threat list.This is more False positive but impossible to exclude because of ever changing IPs.

This will not be an issue for regular web surfing clients.

But most of the computers here have Intercept-X heartbeat and as soon as they hit such a Threat Feed, it is synced to Central which then flags the Computer with red health, requiring an admin to "fix" this in Central.

As this were all false positives (much more than on the screenshot below) , we needed to change the Feed from block to monitor only.

So my questions here are:

are there plans from Sophos to enable exclusions for a detection like "DNS"? Currently you can only exclude IPs.

are there plans to be able to make exclusions based on feed? Right now an exclusion is for all feeds, including the Sophos managed feeds.
That way we could block all IPs from the Feed list inbound facing only the firewall WAN for bruteforce (User, SSL, VPN Portal etc) while allowing outbound user traffic.

After testing TF a while I think this is a good feature, focusing on the needs of the user.

Right now we're having some trouble with DNS requests made by browsers to random IPs from AWS, Google, Cloudflare on a threat list.This is more False positive but impossible to exclude because of ever changing IPs.

This will not be an issue for regular web surfing clients.

But most of the computers here have Intercept-X heartbeat and as soon as they hit such a Threat Feed, it is synced to Central which then flags the Computer with red health, requiring an admin to "fix" this in Central.

As this were all false positives (much more than on the screenshot below) , we needed to change the Feed from block to monitor only.

So my questions here are:

are there plans from Sophos to enable exclusions for a detection like "DNS"? Currently you can only exclude IPs.

are there plans to be able to make exclusions based on feed? Right now an exclusion is for all feeds, including the Sophos managed feeds.
That way we could block all IPs from the Feed list inbound facing only the firewall WAN for bruteforce (User, SSL, VPN Portal etc) while allowing outbound user traffic.

We have some plans to improve this, i would still recommend customers to be careful with those lists. The lists and databases are most of the time full of false positives or not very well maintained entries leading to F-P disasters. 

I've turned it off for the moment, but as you say you have to be careful re the lists.

I had an issue with not being able to reach a certain website so instead of putting its ip in i was able to put the domain in. Would that work for your scenario above?

I complained about this early on and the Sophos team working on this chose to contact me and are aware of the issue.

From my viewpoint, the issue is that they historically had their internal list of outgoing IPs that they had confirmed were C&C or other very bad sites. If one of your machines was reaching out to those sites, there was a high likelihood that the machine was a compromised beachhead that was trying to expand. So if there was an outgoing hit, alarm bells go off and you receive severe warnings. Which are appropriate. And it seems that the third-party just opened up this system to other lists, but of course those lists are not curated to only include confirmed C&C or other very bad sites, and those lists are not as stringently maintained.

So an outgoing hit to a website like "githubusercontent" triggers a full-blown melt-down. The third-party list includes that broad site because some malware is no doubt staged from there, but of course the vast, vast majority of content is totally legit.

My suggestion was like yours: differentiate between lists and allow a downgrading of external lists so they can act in some way but not in the nothing/major-crises binary mode that the internal list requires.

In my small-time case, an exception list where I could exclude addresses like those belonging to GitHub user content could also be very helpful. (For example, a LOT of computer/network documentation is hosted there, and several programs I use look for updates there.) I don't think we can fight the third parties to not do overly-broad things like including GitHub in their lists, since many of them are crowd-sourced.

Overall that is one of the approaches, we are looking into. 

ATR (3rd Party Lists) injects its list into the ATP. This means, the ATP will use all its tools (like turning the EP red etc.). 

To rework this, there is a lot of work to be done.

I was kinda surprised by the adaptation of customers and home users, which started to import "everything" they could find. As this is kinda the opposite of what this feature is suppose to do: It should be used to enhance the already existing Sophos Labs IF needed. 
But customers and home users start to look out for "every list" they could find and imported everything. Leading to a lot of F-P. Complaining about this "to Sophos", which we cannot "fix". 

LuCar Toni said:

import "everything" they could find

:-)

yes, can be seen above also. can be dangerous in corporate use. but I think it's absolutely OK for the home use.

About home use: I am wondering: Because this feature is something, people like in other products for Home Setup, like *sense Products for example. But i have the feeling, home users forget the point about the SFOS source points: 
SFOS is always equipped with Sophos Labs. Sophos Labs updates the XOPS Lists and keeps them curated. 
While other products do not have this, they rely completely on opensource lists. 

Agreed. I think there are two populations here:

1. Corporate/large sites, which are going to want to be careful and which may have a budget to subscribe to high-quality third-party feeds.

2. Home/small users who figure Sophos is very conservative to avoid FPs so maybe I can add a site that's a bit less conservative to catch a bit more. Also, we don't have the resources to pay for third-party feeds, so we're looking for free which means crowd-sourced.

It's possible that a larger entity might have the attitude of the smaller group, "It can't hurt to cast a wider net" says management.

It's mainly the mixture of the mechanism that Sophos said "This is the most severe thing that can happen on your network and is almost surely a sign of an ongoing attack that has partially succeeded" and inputs that were not developed with that criteria in mind. 

I get that it's logically simple but coding-wise very difficult. I run into that all the time in my line of work. Something simple to describe can be nearly impossible to change -- given the environment and previous history/requirements that led to the existing code.