We are receiving ATP alerts because our machines are trying to access Windows update at 209.197.3.8. They've been hitting that IP for months, but the alerts just started.
Is this a false positive?
This thread was automatically locked due to age.
Response from Sophos:
Thank you for reproting this issue.
We have updated the ATP signature and it should no longer mark 209.197.3.8 as C2 attack.
This IP address is used by Microsoft for windows update.
Please ensure that pattern updates are up to date if you are still facing the same issue.