ATP alerts for 209.197.3.8

Question

We are receiving ATP alerts because our machines are trying to access Windows update at 209.197.3.8. They've been hitting that IP for months, but the alerts just started. 
 Is this a false positive?

comnet_nm · Accepted Answer

Response from Sophos: 
 Thank you for reproting this issue. 
 We have updated the ATP signature and it should no longer mark 209.197.3.8 as C2 attack. 
 This IP address is used by Microsoft for windows update. 
 Please ensure that pattern updates are up to date if you are still facing the same issue.

ATP alerts for 209.197.3.8

Top Replies