Question about ATP log

We received a couple ATP alerts with Threat Name C2/Generic-A and Origin of AFCd.  I think these are coming from our internal DNS server but wanting to confirm.  Looking at the ATP log, the srcip = our internal DNS server, the dstip = ""  and the host="".

I had turned on the Windows DNS Debug Log.  There are no entries for ip ''  but there is one for '':

"10/20/2021 9:07:16 AM 0894 PACKET  0000002AE329C140 UDP Snd fd5e   Q [0000       NOERROR] A      (7)cust-dv(8)zentrick(3)com(0)"

I'm trying to determine if we have a windows client that is potentially creating the alerting DNS request.  Any suggestions on trying to find the client? 


  • Hi neighbor and welcome to the UTM Community!

    In another thread here with posts at about the same time as yours, was falsely provoking ATP alerts.  There's likely a bad pattern that will be fixed soon by Sophos.  If this is a paid license, please open a case with Sophos Support.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA