General Discussion Sophos ATP DNS dropping *.hwcdn.net domains

UTM Firewall requires membership for participation - click to join

Thread Info

State Verified Answer
+1 person also asked this people also asked this
Locked Locked
Replies 6 replies
Subscribers 10 subscribers
Views 10069 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos ATP DNS dropping *.hwcdn.net domains

rm90 10 months ago

Hi all

We are seeing a lot of dropping from Sophos UTM9 packages (ATP DNS) from *.hwcdn.net.

Someone else?

Examples;

cds.f7y3z2w8.hwcdn.net
cds.d2s7q6s2.hwcdn.net
cds.c4s5i3x5.hwcdn.net

Looks like it is from Windows Update / Microsoft, but some sites telling its malicious, others not.

Also, I found it: https://answers.microsoft.com/en-us/windows/forum/all/are-microsoft-webservices-safe-behind-next-public/b819c103-2cb3-4874-b46e-b375360a3bf6

This thread was automatically locked due to age.

Top Replies

comnet_nm 10 months ago in reply to emmosophos +2 verified

Response from Sophos: Thank you for reproting this issue. We have updated the ATP signature and it should no longer mark 209.197.3.8 as C2 attack. This IP address is used by Microsoft for windows…

Parents

0 emmosophos 10 months ago

Hello there,

Thank you for contacting the Sophos Community.

We have raised this to our Sophos Labs team for investigation.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
+1 comnet_nm 10 months ago in reply to emmosophos

Response from Sophos:

Thank you for reproting this issue.

We have updated the ATP signature and it should no longer mark 209.197.3.8 as C2 attack.

This IP address is used by Microsoft for windows update.

Please ensure that pattern updates are up to date if you are still facing the same issue.
Cancel
Vote Up +2 Vote Down

Cancel

Reply

+1 comnet_nm 10 months ago in reply to emmosophos

Response from Sophos:

Thank you for reproting this issue.

We have updated the ATP signature and it should no longer mark 209.197.3.8 as C2 attack.

This IP address is used by Microsoft for windows update.

Please ensure that pattern updates are up to date if you are still facing the same issue.
Cancel
Vote Up +2 Vote Down

Cancel

Children

0 Maik Ehrenberg 10 months ago in reply to comnet_nm

Hello, we are having the same issue. But we are already up to date for our patterns. Which version are you using?
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch 10 months ago in reply to comnet_nm

What is the corrected pattern version?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Maik Ehrenberg 10 months ago in reply to PhilippRusch

Hello,

We are using following pattern version:

227038

Underneath it says "Your patterns are up to date."

Greetings,

Maik Ehrenberg
Cancel
Vote Up 0 Vote Down

Cancel