This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 Advanced Threat Protection

Hello all,

Since yesterday I keep receiving these emails:

"Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site
outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spywa[..]
Time...........: 2018-05-20 09:42:50
Traffic blocked: yes

Source IP address or host: 218.28.68.126
        
-- 
System Uptime      : 18 days 1 hour 3 minutes
System Load        : 18.25
System Version     : Sophos UTM 9.509-3

Please refer to the manual for detailed instructions.

The send limit for this notification has been reached. No further
notifications of this type will be sent during this period."

The strange thing is that the Source IP/host is different all the times and it is not a known IP for me.
I had about 20 emails since yesterday and also the UTM processor % is about 90% since yesterday.

At the moment running Sophos Virus Removal Tool on all the Windows servers but I have the idea it won't find anything.
Anyone have experienced this or can point me in the right direction?



This thread was automatically locked due to age.
Parents Reply
  • You should be able to create a Country Blocking Exception for traffic arriving on the ports that the SMTP Proxy listens for: 25, 465 & 587.

    In any case, my guess is that these are computers infected with malware that makes them part of a botnet trying to break into your network.  You can use https://centralops.net/co/DomainDossier.aspx to find the abuse-reporting address for each of those IPs and forward them the email alert with the notation that you're on CEST (UTC +2).  One of my clients got slammed like you have been.  I reported 36 infections in two days and the attack stopped.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data