Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Almost all of our customer UTMs did generate an ATP alert for IP Address 126.96.36.199. It starts around 16:00 (I received ~7 alert mails per UTM)
Was there a pattern update? False positive? Any Infos about that?
Me too, massive alerts from dozens of UTM
also here on machines with pattern 160216.
Looks like a false positiv, because the IP is used for Windows-updates...
Firewall consultant since 1995Astaro consultant since 2001Sophos partner since 2012BERGMANN engineering & consulting GmbH, Wien/Austria
Same here on our UTM.
All started after the following;
Installing up2date package: /var/up2date/aptp/u2d-aptp-9.32631-32632.patch.tgz.gpg
Also getting the following IP's now;
188.8.131.52 and 184.108.40.206
220.127.116.11 and 18.104.22.168
Sometimes I think security products are more something like Snake Oil... "We just think, we are super secure"...
all customers with sg got this ATP message!!!
I'm fairly sure this is related to Windows updates. I have 2 UTMs reporting the same Threat name....: C2/Generic-A
My patterns are at: 160216 I have 2 pending firmware updates.
2019:04:04-16:02:27 h******er-utm named: rpz: client 192.168.*.5#52967 (ctldl.windowsupdate.com): view default: rpz IP NXDOMAIN rewrite cs11.wpc.v0cdn.net via 22.214.171.124.93.rpz-ip.rpz
Same alarms here (from many computers) . Seems to affect many users out there. The post has hos several hundred views within a few minutes.
Any response from Sophos?
Yep here too!
Started at precisely 16:05 CEST today and is still trickling in slowly, even though everybody else have gone home...
UTM version: 9.601-5Pattern version: 160221
EDIT: Located in Denmark, Europe
We are seeing the same.
Firmware version: 9.601-5Pattern version: 160222
Where is everyone located? The 126.96.36.199 IP address that was posted is in the UK it looks like. Is this affecting Europe via Windows Update? I'm in Eastern Canada and haven't received anything.