Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 886 views
  • Users 0 members are here
Options
Suggested

X-Ops seems not to be working on V21 GA?

EdmundSackbauer

Hi,

I moved to Version 21.0 GA (Home Edition) recently.

I noticed that in control panel, no events in the log or counters are logged that X-Ops is doing anything:

A configured third party threat list (abuseipdb.com) is working properly and blocks and reports in the logs.

X-Ops (formerly ATP) was enabled the whole time, even before upgrading from 20.0 MR2  to 21.0 GA, and my Home License includes it. Signatures are also updated regularily.



Edited TAGs
[edited by: Erick Jan at 12:08 AM (GMT -7) on 24 Oct 2024]
  • 0

    Hi,

    Thank you for reaching out to Sophos Community.

    Kindly check the following KB for troubleshooting

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0

    My thought would be that X-Ops is looking for much more severe threats than most third-party (crowd-sources) lists. Also X-OPS is not blocking probes to your VPN (if you're running that service on the WAN) because there are so many sites probing various ports which you can see in Appliance Access rejection most of the time. (And these sites are constantly changing.) But if you happen to be running VPN on the WAN and your third-party happens to have an IP of a site that happens to be probing VPN ports, you'll see blocks that didn't appear before.

    (In other words, third-party lists will have more false positives and can have a very broad definition of what should be blocked. For example, one person discovers one malware file on a site and they can submit it to a crowd-sourced site and if you're using that list you may see blocks that have nothing to do with that file. And a third-party block list blocks things like VPN access that would otherwise be blocked by the VPN credentials failure.)

    As a concrete example, the FireHOL L3 IP list includes an IP for githubusercontent. Sure enough, some folks may have malware there, but to block it completely is extremely broad! It's triggering on my system because I have an open source program that gets its updates that way. It's sort of like blocking all Gmail because you got spam from an Gmail address. FireHOL is a reputable source, but free third-party sources will suffer from this kind of thing.

  • 0

    SophosLabs is providing Data for x-Ops and it is more for the internal detection. So is a client infected and tries to reach an C2 Server etc.

    Third party feeds are more looking at the entire stack (Is someone, i know, simply port scanning me). 

    Using ATP / x-Ops to block Port Scanning would increase the Alert fatigue - People should react to X-Op alerts quickly and a port scanner in the internet is totally normal and happen on a daily basis. 

    __________________________________________________________________________________________________________________

Unfiltered HTML