This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 blocking Botnet traffic... but EP not finding anything...

I'm getting regular notifications that the firewall is blocking one of my systems from communicating with a known botnet site... but when I run an AV scan on that system it's coming up empty. Any suggestions regarding 'step b'? I'm trying other av and am products now to see if anyone else catches it - so far nothing is.

UTM flags as 'C2/Generic-A' to destination 82.211.30.241 (IPTables).

This thread was automatically locked due to age.

Parents

0 gcracker over 9 years ago

I have the same behavior. I thought that if I installed the EP client, I could see which process was responsible for the traffic, but EP is oblivious. Digging through UTM shows (naturally) only the network info... with one difference: When I hadn't installed EP yet, the UTM thought my DNS server was the offending source, but only because it was asking OpenDNS to resolve the hostname for my desktop.

So how can we get the info we need? Short of running wireshark 24/7 and a logging process explorer...?

Sophos UTM Home user since 2015

Running on Q350G4 Core i5-4200U 8GB
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 gcracker over 9 years ago

I have the same behavior. I thought that if I installed the EP client, I could see which process was responsible for the traffic, but EP is oblivious. Digging through UTM shows (naturally) only the network info... with one difference: When I hadn't installed EP yet, the UTM thought my DNS server was the offending source, but only because it was asking OpenDNS to resolve the hostname for my desktop.

So how can we get the info we need? Short of running wireshark 24/7 and a logging process explorer...?

Sophos UTM Home user since 2015

Running on Q350G4 Core i5-4200U 8GB
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data