This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP alert

FormerMember over 3 years ago

Can anyone suggest on the below query

ATP Event reoccurs every two to three days.

2021:04:13-01:45:20 nwusophos01 named[5282]: rpz: client @0xa519a18 10.161.1.2#49191 (61-219-11-153.hinet-ip.hinet.net): view default: rpz IP NXDOMAIN rewrite 61-219-11-153.hinet-ip.hinet.net via 32.153.11.219.61.rpz-ip.rpz

measurements already taken:
- enable DNS diagnostic logging on Microsoft active directory domain controller/dns server.
- match dns query to atp event: querying system is domain controller (10.161.1.2)
- scan of domain controller with customer's antivirus software
result: clean
- scan with sophos virus removal tool
result: clean

UTM:
Firmware version: 9.705-3
Pattern version: 197682

We need verfiy if ATP alert is a false postive or not. Please assist.

This thread was automatically locked due to age.

emmosophos over 3 years ago

Hello there,

Thank you for contacting the Sophos Community.

It seems to be a False Positive, but to confirm you would need to open a ticket with Support so they can send to Labs for confirmation.

You would need to submit the http.log, ips.log, and aptp.log

Additionally to this, you need to do a packet capture of the specific traffic.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
LHerzog over 2 years ago in reply to emmosophos

61.219.11.153 is a well known bad host. annoying us since a while, too.

would be nice if Sophos would block this IP.

currently only traffic replies of machines behind the firewalls (XG or SG) are blocked by ATP. and this is causing alerts from the firewall each time.
Cancel
Vote Up 0 Vote Down

Cancel