Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 7638 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat warnings but no internal sources listed - confused

Chris Moore2

Hi folks,

A little confused.  I keep getting warnings for threat detection:

Advanced Threat Protection

 

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

 

Details about the alert:

 

Threat name....: C2/Virut-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Virut-A.aspx

Time...........: 2017-07-12 04:37:24

Traffic blocked: yes

Source IP address or host: 54.84.67.222       

 

System Version     : Sophos UTM 9.501-5

 

When I check in my logs to see what internal host is communicating I see nothing but external reported - how is this happening and how can I track and kill off whatever is happening here?

Would appreciate any insight or advice!!.


Thanks

Chris



This thread was automatically locked due to age.
Parents
  • 0

    ATP does not provide the logs that I would expect.   I think on the few occasions that I have had an ATP alert, the IPS logs were the most helpful, and they are usually short.  Also use the log search tool to look for that IP address in the webfilter logs.

    The alert CAN mean that a PC is infected and UTM detected that it was trying to connect to a command and control site.  If this is the case, the PC needs to be taken off the network

    It can also mean that the user browsed to an infected website, the website had embedded content which silently tried to connect to a hostile site, which UTM blocked, and therefore the PC is unaffected.

    It can also mean that the PC performed a DNS lookup an a *.TK domain name, which UTM considers high risk, for good reason.   UTM blocks the lookup so that your PC never connects to the possibly-hostile IP address associated with that name.   Again, UTM blocks the lookup so your PC is unaffected.

Reply
  • 0

    ATP does not provide the logs that I would expect.   I think on the few occasions that I have had an ATP alert, the IPS logs were the most helpful, and they are usually short.  Also use the log search tool to look for that IP address in the webfilter logs.

    The alert CAN mean that a PC is infected and UTM detected that it was trying to connect to a command and control site.  If this is the case, the PC needs to be taken off the network

    It can also mean that the user browsed to an infected website, the website had embedded content which silently tried to connect to a hostile site, which UTM blocked, and therefore the PC is unaffected.

    It can also mean that the PC performed a DNS lookup an a *.TK domain name, which UTM considers high risk, for good reason.   UTM blocks the lookup so that your PC never connects to the possibly-hostile IP address associated with that name.   Again, UTM blocks the lookup so your PC is unaffected.

Children
Unfiltered HTML