Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 2148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 ATP has detected outgoin Botnet traffic on one machine, Scan and Clean can't remove it. What to do?

Sascha Flosbach

Hello everybody,

our UTM9 has detected and blocked outgoing traffic from a potential botnet. According to the Sophos site, the next step would be the Sophos Virus removal tool. Which didn't remove anything. So was it a false alarm or are there any other tools that could help identify a potential threat?

best regards



This thread was automatically locked due to age.
Parents
  • 0

    Can you post the log entry? Need to determine if this was a false positive and decipher the log entry if possible.  Was this a PC, or mobile device?

    Why not create a traffic drop rule to that IP/DNS?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Doesn't the UTM9 automatically create such rules? 

  • 0 in reply to Sascha Flosbach

    I've never known UTM to automatically block outgoing traffic.  By default, it is setup to block traffic not designated outside the allowed ruleset, but if your botnet is outgoing over standard port traffic such as port 80, no.  Some people who are completely ignorant to firewalls just tell 'Any' traffic to pass through, build other rules below the 'Any' ruleset and can't figure out why it doesn't work.

    Your log would tell us where it's going, and you can setup a blackhole, so anything sent to that IP would just get 'lost'.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Good advice, a drop rule to that IP is active. I'm going to have a look at the logs and see what I can find.

    Any idea on how to remove the botnet? It hasnt been detected / removed by sophos, malwarebytes or defender. 

Reply Children
  • 0 in reply to Sascha Flosbach

    It could be just a false positive that's being picked up because it has some similar properties in the packets.  If you can copy/paste some of the logs so we can see what it's doing, where it's going.  Feel free to obfuscate any IP address information if you wish.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Unfiltered HTML