I wonder if anyone can help me clarify the following, we start receiving standard ATP alerts for the past month as per bellow, usually im able to investigate this alerts and they either are DNS recursive queries performed by out forwarders on Spam domain emails received and rejected by the SMTP proxy, or Web sessions hijack attempts trying to redirect traffic to malicious domains, but recently i been baffled by a a recurrent alert as bellow where im not able to make much sense, i parsed the logs for our SMTP proxy that shows traffic to a Tor node from what i can only assume being SMTP connections rejected by the UTM does anyone have any idea on this ?
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Advanced Threat ProtectionDetails Total Events: 2 User/Host Threat Name Destination Events Origin 1 192.168.7.250 C2/Generic-A 22.214.171.124 2 192.168.7.250 C2/Generic-A 126.96.36.199
Got the same problem. Sophos was pointing to the internal DNS. Then I changed everything to best practice. Internal DNS --> Sophos --> WAN.
Still finding the connection in the SMTP proxy…
has anyone here of the people who receive the ATP alerts found an actual way to get rid of these specific ATP alerts? We still receive the alerts multiple times per week. Still from the same subnet. From my understanding there is exactly nothing to do against these dns requests. We have put the subnet into a blackhole NAT as suggested by BAlfson. Still no change and the alerts are getting quite annoying at this point. Like; someone from the subnet just has to ping us and we receive an alert. There has to be a solution for this. Or do you guys all just live with it at this point?
my way to work around it was to treat these as false positive and put these handful of host onto the threat exception list: