Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 3 answers
  • Subscribers 5 subscribers
  • Views 11384 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection - Lock.bz

RichardHughes1

Hi,

 

Since upgrading to the latest version of Sophos UTM, I have received constant Advanced Threat Protection alerts for threat "C2/Generic-A", with the destination address "lock.bz". I have searched the forum's for this, and it appears to be something which is affecting a lot of people. Unfortunately, my searching has not lead me to a working solution. I still receive constant alerts, to the extent that I have given up pressing the "Reset" button. After pressing "Reset", it's a matter of waiting a few minutes and then bang, the alerts start to flood back in.

Is there a solution to this problem? Is there a way of killing these alerts? The reported hosts are internal DNS servers. I have enabled DNS logging on both of these servers to attempt to trace an infected host, but the logs report that the Sophos UTM itself is asking the DNS servers to query the "lock.bz" domain.

Has anybody here had this issue and managed to resolve it? It's getting rather frustrating now...

 

Cheers,

Richard



This thread was automatically locked due to age.
  • 0 in reply to RichardHughes1

    Richard,

    Here's an update.  I downloaded the newest iso and installed a new UTM for testing.  If I import my configuration, the DNS queries start immediately.  However if I don't import, and just do a basic setup by hand with only the necessary items configured (including dns proxy) there are no queries.  This proves again that it is not an infected machine on my network and shows that it's coming from the Sophos.  Unfortunately that still doesn't explain the who/what/how questions.  This weekend I am going to fully configure the test UTM by hand and monitor all connections during the process to see if anything pops up at each step.  I will let you know what I find.

     

     

     

    Thanks,

    Andrew

  • 0 in reply to Andrew Stanifer

    Hi Andrew,

    Thanks for the update, that sounds very interesting. It is unfortunate that the rest of the community here have stopped providing input to this topic. It's quite clearly an issue, but would appear to be getting ignored.

    After changing the forwarders on my Internal DNS server (Windows DNS), to point directly to the UTM instead of the Google Public DNS servers, I did notice that the ATP alerts had stopped. I did check the DNS log after reading your post, but nothing showed up for the lock.bz / lock.biz domains. I did although experience some internal name resolution problems, so I decided to revert my DNS configuration back. Again, the alerts started flooding back in... At this point, I decided to remove the two Google Public DNS entries and use the Virgin Media DNS servers instead. Since making this change, I have not yet received any ATP alerts nor has there been any DNS log entries for lock.bz / lock.biz. I'm wondering if something strange is happening with Google's public DNS servers?

     

    Just found this - https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/42140/advanced-threat-protection-google-dns-8-8-8-8-false-positive/148728?pi2132219849=2. Surely it wouldn't be a coincidence that everything seems to always point to 8.8.8.8 / 8.8.4.4...

     

    Cheers,

    Richard

  • 0 in reply to RichardHughes1

    Guys,

    If you've configured DNS & DHCP as in DNS best practice, you can block DNS queries to lock.bz using the trick in Block a TLD.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML