ATP alert

Can anyone suggest on the below query

ATP Event reoccurs every two to three days.


2021:04:13-01:45:20 nwusophos01 named[5282]: rpz: client @0xa519a18 10.161.1.2#49191 (61-219-11-153.hinet-ip.hinet.net): view default: rpz IP NXDOMAIN rewrite 61-219-11-153.hinet-ip.hinet.net via 32.153.11.219.61.rpz-ip.rpz

measurements already taken:
- enable DNS diagnostic logging on Microsoft active directory domain controller/dns server.
- match dns query to atp event: querying system is domain controller (10.161.1.2)
- scan of domain controller with customer's antivirus software
result: clean
- scan with sophos virus removal tool
result: clean

UTM:
Firmware version: 9.705-3
Pattern version: 197682

We need verfiy if ATP alert is a false postive or not. Please assist.


Added TAG
[edited by: emmosophos at 8:44 PM (GMT -7) on 14 Apr 2021]
Parents Reply Children
  • 61.219.11.153 is a well known bad host. annoying us since a while, too.

    would be nice if Sophos would block this IP.

    currently only traffic replies of machines behind the firewalls (XG or SG) are blocked by ATP. and this is causing alerts from the firewall each time.