This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos ATP DNS dropping *.hwcdn.net domains

rm90 over 1 year ago

Hi all

We are seeing a lot of dropping from Sophos UTM9 packages (ATP DNS) from *.hwcdn.net.

Someone else?

Examples;

cds.f7y3z2w8.hwcdn.net
cds.d2s7q6s2.hwcdn.net
cds.c4s5i3x5.hwcdn.net

Looks like it is from Windows Update / Microsoft, but some sites telling its malicious, others not.

Also, I found it: https://answers.microsoft.com/en-us/windows/forum/all/are-microsoft-webservices-safe-behind-next-public/b819c103-2cb3-4874-b46e-b375360a3bf6

This thread was automatically locked due to age.

Top Replies

comnet_nm over 1 year ago in reply to emmosophos +2 verified

Response from Sophos: Thank you for reproting this issue. We have updated the ATP signature and it should no longer mark 209.197.3.8 as C2 attack. This IP address is used by Microsoft for windows…

0 comnet_nm over 1 year ago

This thread is related to the same issue,

ATP alerts for 209.197.3.8

Ticket opened with support.
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 1 year ago

Hello there,

Thank you for contacting the Sophos Community.

We have raised this to our Sophos Labs team for investigation.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
+1 comnet_nm over 1 year ago in reply to emmosophos

Response from Sophos:

Thank you for reproting this issue.

We have updated the ATP signature and it should no longer mark 209.197.3.8 as C2 attack.

This IP address is used by Microsoft for windows update.

Please ensure that pattern updates are up to date if you are still facing the same issue.
Cancel
Vote Up +2 Vote Down

Cancel
0 Maik Ehrenberg over 1 year ago in reply to comnet_nm

Hello, we are having the same issue. But we are already up to date for our patterns. Which version are you using?
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 1 year ago in reply to comnet_nm

What is the corrected pattern version?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Maik Ehrenberg over 1 year ago in reply to PhilippRusch

Hello,

We are using following pattern version:

227038

Underneath it says "Your patterns are up to date."

Greetings,

Maik Ehrenberg
Cancel
Vote Up 0 Vote Down

Cancel