Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 10273 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone Else Having Sudden Issues with Advanced Threat Protection?

wwwolf_01

Starting about the 21'st of last month I've suddenly started receiving a lot of alerts from my UTM's Advanced Threat Protection.  We've used it for about a year and have always gotten an alert now and then when a user does something silly, but now I'm getting multiple per day.

I've been able to track about half of the alerts down to various DNS lookups performed by my mail server (for apparently valid SPF, Caller ID, and other DNS based anti-spam checks).  I'm pretty sure no changes were made to my mail server, so I'm not sure why ATP is flagging them now.

The other half of my alerts are all coming from sub domains of mb5p(dot)com, such as mx129(dot)mb5p(dot)com and mx92(dot)mb5p(dot)com  I've yet to be able to track down why these requests are being made.

Does anyone know of any changes made to the UTM's Advanced Threat Protection?  It's completely possible I may have some malware that needs to be hunted down, but so far I can't locate it and none of my A/V systems are finding anything.

 

UTM: 9.411-3

DNS: Through a Windows server that then goes out through the UTM (this is why tracking down ATP alerts is a pain)



This thread was automatically locked due to age.
Parents
  • 0

    DNS lookups of .tk names now generatw a block and alarm.   The entire namespace has been ruled suspicious, and is intercepted by ATP.

  • 0 in reply to DouglasFoster

    Thanks for the heads up.  I was not aware of that.  I don't believe that is what's affecting me now (no obvious .tk entries in the logs) but I have a feeling it's something along those lines.

    Can you point me to where you got this information on the ATP changes?  Knowing what's changed and when would be very useful.

  • 0 in reply to wwwolf_01

    There's no official notification.  Your WinServer's DNS log should tell you who might have an infection.  Can you be more specific about the content of one of the mb5p.com alerts?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks.  The lack of transparency on the ATP blacklist is a definite challenge.  I'm likely to bother Sophos support some more to see if I can get some conclusive verification.

    You're completely right on using the Windows DNS server logging, but that's what really confusing me in this matter.  I've been able to isolate about half the blocked requests to anti-spam look-ups from my mail server, but the mb5p is inconclusive.  My Windows-fu appears to be lacking, I can't seem to track down who the requester is.

    And to add another twist to the story, as of yesterday all the alerts have... stopped.  Not a peep from the UTM, and the ATP log is clean.  With how quick the alerts started, and how quick the disappeared I have a feeling it was a false positive removed in a definition update.

     

    An example of the Windows DNS log line I receive is:

    5/4/2017 11:44:40 AM 0A38 PACKET 00000044380D4D00 UDP Snd 8.8.8.8 b88a Q [0001 D NOERROR] A (4)mx92(4)mb5p(3)com(0)

    This is the only reference to the domain anywhere around this time.  From what I can see there is no requester, and the message isn't even blocked.

Reply
  • 0 in reply to BAlfson

    Thanks.  The lack of transparency on the ATP blacklist is a definite challenge.  I'm likely to bother Sophos support some more to see if I can get some conclusive verification.

    You're completely right on using the Windows DNS server logging, but that's what really confusing me in this matter.  I've been able to isolate about half the blocked requests to anti-spam look-ups from my mail server, but the mb5p is inconclusive.  My Windows-fu appears to be lacking, I can't seem to track down who the requester is.

    And to add another twist to the story, as of yesterday all the alerts have... stopped.  Not a peep from the UTM, and the ATP log is clean.  With how quick the alerts started, and how quick the disappeared I have a feeling it was a false positive removed in a definition update.

     

    An example of the Windows DNS log line I receive is:

    5/4/2017 11:44:40 AM 0A38 PACKET 00000044380D4D00 UDP Snd 8.8.8.8 b88a Q [0001 D NOERROR] A (4)mx92(4)mb5p(3)com(0)

    This is the only reference to the domain anywhere around this time.  From what I can see there is no requester, and the message isn't even blocked.

Children
No Data
Unfiltered HTML