Hello Communitiy, from time to time we have some false positives on APT. If I check the URL with VirusTotal often Sophos is the only vendor where the URL marked as "Malicious". An example is this URL: https://coronalevel.com/Germany If I check the…

We found all the *. idv.tw domains were blocked by ATP with XG. I have opened a case (ID: 04765685) to Sophos, but Sophos seems doesn't know the issue? Shunze

Hello, I found this old thread but didn't find it helpful. https://community.sophos.com/sophos-xg-firewall/f/discussions/124646/atp-reporting-external-ip-as-source From the ATP reports I am seeing Google and Cloudflare DNSs being reported. …

does anybody know what the cause of this alert ? also i want to stop it from it source ?

Can I reset this Alerts and Incidents in the Threat intelligence section? I have checked them all and don't want to get alerted by the old stuff everyday again. SFOS 18.0 MR5

Hello some of our customers asked me about this so I think this will help others, too. 2021-10-18 10:24:07 192.168.36.181 enabaonag_laptop 192.168.36.1 C2/Generic-A www.google.com.512542883555094…

Got several alerts from different areas this morning with ATP being tripped. What happened: Sophos Firewall detected malicious connections: 'C2/Generic-C' at 'C:\program files (x86)\Google\Chrome\application\chrome.exe' (Technical Support reference…

When we browse to the website of https://hollandia.biz/ there is no problem. But when we go to the page https://hollandia.biz/home-services/ we get the DROP by Advance Threat Protection when the XG is used as proxy server. There is no ATP DROP when…

Hi, I want to configure Sophos such that if any outsider scans my network, then in some form Sophos would be able to provide me list of scanning done from which IP etc... all the details. Based on that I can take action in ATP. Is there anyone who…

Hello, i have a problem identifying the Source of this ATP. We get every Minute 2 Mails because of this. In Protocoll View i dont see any Connections.

Hi, This is new to me, how come ATP reports public IPs as source? Thanks, Gon

Subject: *ALERT* Sophos XG Firewall - Advanced threat protection DROP Alert for XG430 (SFOS 18.0.1 MR-1-Build396) xxxSNxxxxx Device Information: Hostname: xxxxfirewall's-hostnamexxx Management Interface IP: Not configured/Not available Date/Time: 2020…

I'm curious about what the best course of action is. One of the XG Firewalls we manage detected an attempt to communicate with a botnet. The policy is set to Log and Drop and the alert itself says "no further action is needed", but why not? I don't think…

In the Firewall and SSL/TLS Inspection logs I can see positive and negative results.But I see nothing at all in the ATP, IPS, App Filter, Malware, and Zero-Day logs. Would they only show negative events -- i.e. malware in a download -- or should this…

A Sophos XG with version SFOS 17.5.15 MR-15 reports a daily communication attempt with a botnet or "command-and-control" server. However, the same happens with Sophos XG and the current version 18. There are connections to blog.alexmaccaw.com, which originate…

Ive been using XG and UTM for a while now and have used RED a few times, but ive got a dedicated server now in the cloud and i installed XG on it for my edge firewall. I setup a red tunnel from my xg to that xg but i had a windows 2019 vm running on the…

Are there any recommended methods, best practices or tools to check Advanced Threat Protection (ATP) is working?

I have an XG reporting that there is an ATP event. The address it is giving me is for the source is our Meraki AP. I do not think the Meraki is infected but more likely one of the clients connecting to that AP is. The Meraki is Natting addresses, so…

After a backup/restore to a new hardware the heartbeat connection remains active with the old device serial which is a mistake. In order to fix that you need to clear registration from the XG Firewall and do the registration again where the serial of…