• ATP C2/Generic-A Cloudflare 188.114.97.3 ?

    Timo Bergmann
    Timo Bergmann
    Guten Abend, ist hier etwas dran weshalb Sophos die IP 188.114.97.3 als Malicious einstuft oder wieder ein FalsePositive? Unser ATP der UTM9 meldet das seit Freitag bei DNS Anfragen ...
    • Answered
    • over 2 years ago
    • UTM Firewall
    • German Forum
  • medium alert, PUA detected, adobe_licensing_wf_acro?

    zero_connect
    zero_connect
    Does anyone know if this software is a threat or valid?, searched for information but found nothing. adobe_licensing_wf_acro[.]exe
    • Answered
    • over 2 years ago
    • Sophos Endpoint
    • Discussions
  • connection with bad ip address

    Ahmad
    Ahmad
    hi, if i have sophos XGS or XG and from lan my users start making connection with bad reputed ip address. then can firewall block it??? ATP is same or it is different? can SOPHOS XG/ XGS also consult some IOC Feed ???
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • XG450 Advanced Threat Protection -> C2/Generic-A -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - False Postive Alarm?

    EDV-Support
    EDV-Support
    Hello, we are using : Sophos XG450 (SFOS 18.5.1) During the last 2 weeks we recceived the following Security Warnings on 2 different Computers: Was ist passiert: Ein Computer hat schädliche Daten versandt. Das lässt darauf schließen, dass er mit…
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • Sophos suddenly detecting Trusteer Rapport?

    zeban sho
    zeban sho
    Noticed ransomware alert from a PC with C:\Windows\System32\msiexec.exe but drilling down I can see it's Trusteer Rapport. I have about a dozen machines with this software though and none of the others are alerting. I'm 99% sure it's a false positive…
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • Alerts C2/Generic-A

    Guilherme Silva1
    Guilherme Silva1
    Dear, We are facing a very strange situation regarding the very frequent alerts we are getting for C2/Generic-A. Most of these alerts have origin addresses, from DNS servers, such as 8.8.8.8 for example, but what is intriguing is what in the details…
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • Sophos Firewall: Troubleshoot a broken application in SFOS

    LuCar Toni
    LuCar Toni
    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Table of Contents Overview Invalid Traffic Troubleshooting…
    • over 2 years ago
    • Sophos Firewall
    • Recommended Reads
  • An attempt to communicate with a botnet or command and control server has been detected.

    Chris Anthony1
    Chris Anthony1
    Hi Everyone! Can anyone help me? I received several reports from XG Firewall that a n attempt to communicate with a botnet or command and control server has been detected. The source IP is Google's DNS (8.8.8.8 and 8.8.4.4) and my DNS (203.167.97…
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • An attempt to communicate with a botnet or command and control server has been detected.

    MJ_P1
    MJ_P1
    I found some malware on a client PC not long ago, which we discussed at length in this thread: https://community.sophos.com/intercept-x-endpoint/f/discussions/132693/mal-polazert-a-removal/491955#491955 . Intercept X is deployed throughout the network…
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • Advanced Threat Protection research

    William Capeless
    William Capeless
    I am having trouble determining what is happening here. I see the source is google dns, the destination is my internal dns server. the threat is clickmatters.biz. How do I track this down to find out what is going on. I checked web logs to see if anyone…
    • Answered
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • ATP false positive?

    Ben@Network
    Ben@Network
    Hello Communitiy, from time to time we have some false positives on APT. If I check the URL with VirusTotal often Sophos is the only vendor where the URL marked as "Malicious". An example is this URL: https://coronalevel.com/Germany If I check the…
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • ATP Alarm C2/Generic-A Blocked DNS Requests (Forwarded from SOPHOS)

    uhrzeit
    uhrzeit
    Hi, the SOPHOS UTM Firewall of one of our Clients sporadically reports an ATP-Threat (Botnet/command-and-control traffic) that has been blocked. The "infected" Hosts are always the two Domain Controllers / DNS Servers within the network. User…
    • over 2 years ago
    • UTM Firewall
    • Management, Networking, Logging and Reporting
  • ATP block all *.idv.tw FQDN query!?

    Shunze Lee
    Shunze Lee
    We found all the *. idv.tw domains were blocked by ATP with XG. I have opened a case (ID: 04765685) to Sophos, but Sophos seems doesn't know the issue? Shunze
    • Answered
    • over 2 years ago
    • Sophos Firewall
    • Discussions
  • ATP reporting external IP as source

    HPC Kronos
    HPC Kronos
    Hello, I found this old thread but didn't find it helpful. https://community.sophos.com/sophos-xg-firewall/f/discussions/124646/atp-reporting-external-ip-as-source From the ATP reports I am seeing Google and Cloudflare DNSs being reported. …
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • alerts keep scaling

    Taoufik MOURTADI
    Taoufik MOURTADI
    does anybody know what the cause of this alert ? also i want to stop it from it source ?
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • ATP Warnungen - Quelle nicht aufzufinden

    Marc P1
    Marc P1
    Hallo zusammen, aktuell sehe ich auf unserer UTM immer wieder ATP Meldungen. Laut UTM kommen die Anfragen vom DC und wollen in Richtung Internet. Auf dem DC im DNS.log steht als Quelle aber immer die UTM (die UTM selbst macht kein DNS, leitet…
    • Answered
    • over 3 years ago
    • UTM Firewall
    • German Forum
  • How to reset Threat Intelligence on Dashboard?

    LHerzog
    LHerzog
    Can I reset this Alerts and Incidents in the Threat intelligence section? I have checked them all and don't want to get alerted by the old stuff everyday again. SFOS 18.0 MR5
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • ATP reports "C2/Generic-A" :

    NM_1987
    NM_1987
    Hello some of our customers asked me about this so I think this will help others, too. 2021-10-18 10:24:07 192.168.36.181 enabaonag_laptop 192.168.36.1 C2/Generic-A www.google.com.512542883555094…
    • Answered
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • Sip Trunk Anschluss - Trennung nach 60 Sekunden - HILFE

    adrian_User533
    adrian_User533
    Hallo, wir haben bei unserer TK Anlage seit gestern einen Vodafone SIP Trunk. Seit dem werden ausgehende Gespräch exakt nach 60 Sekunden getrennt. Nicht alle, es kommt mir so vor als ob es ca. 30 Minuten läuft, dann gehen die Trennungen wieder los.…
    • over 3 years ago
    • UTM Firewall
    • German Forum
  • Advanced Threat - Is this a false positive?

    Ryan McMillan
    Ryan McMillan
    Got several alerts from different areas this morning with ATP being tripped. What happened: Sophos Firewall detected malicious connections: 'C2/Generic-C' at 'C:\program files (x86)\Google\Chrome\application\chrome.exe' (Technical Support reference…
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • Advanced Threat Protection through XG proxy C2/Generic-C false positive bug?

    Fred_B
    Fred_B
    When we browse to the website of https://hollandia.biz/ there is no problem. But when we go to the page https://hollandia.biz/home-services/ we get the DROP by Advance Threat Protection when the XG is used as proxy server. There is no ATP DROP when…
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • Someone has scanned the network

    Manish Chawda
    Manish Chawda
    Hi, I want to configure Sophos such that if any outsider scans my network, then in some form Sophos would be able to provide me list of scanning done from which IP etc... all the details. Based on that I can take action in ATP. Is there anyone who…
    • Answered
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • ATP from Localhost

    Timo Kopp
    Timo Kopp
    Hello, i have a problem identifying the Source of this ATP. We get every Minute 2 Mails because of this. In Protocoll View i dont see any Connections.
    • over 3 years ago
    • Sophos Firewall
    • Discussions
  • ATP reporting external IP as source

    MasTer-OogWay
    MasTer-OogWay
    Hi, This is new to me, how come ATP reports public IPs as source? Thanks, Gon
    • over 4 years ago
    • Sophos Firewall
    • Discussions
  • What do you do when an attempt to communicate with a botnet is detected?

    Ace Carter
    Ace Carter
    I'm curious about what the best course of action is. One of the XG Firewalls we manage detected an attempt to communicate with a botnet. The policy is set to Log and Drop and the alert itself says "no further action is needed", but why not? I don't think…
    • over 3 years ago
    • Sophos Firewall
    • Discussions
<>