Advanced Threat Protection through XG proxy C2/Generic-C false positive bug?

the sub page is categorized as C&C

while the base URL is general business.

I suggest you check totalvirus for that URL and submit a URL review to Sophos Support

as this is HTTPS traffic, the XG cannot inspect the sub-page you are visiting when you don't use the Web-Proxy. So ATP only comes when the XG can see the full URL in Proxy-mode.

and about Intercept-X not detecting anything - I think XG and Endpoints use different sources for URL categorization. That's my personal experience when handling such stuff. So one Security-System has it listed but not the other. Strange product policy but this is how it seems to be at Sophos.

Please check this : https://www.virustotal.com/gui/url/3a321f66ecca120bd905b520292824109d0026858582ece68cce14054a82f46e/detection

https://www.virustotal.com/gui/url/8928007c5bccde2f11122fb5e1fa1a4ffc932e6405722de5bd8a61763e1a6e88/detection

Sophos status is Unrated hence, it could be false posistive.

C2/Generic Detection Explained

Please raise with Sophos Lab to review this URL and whitelist it.

All,

The problem is XG proxy. The URL (same rule as XG Proxy) is not seen as a positive with direct https. Only when connecting tru XG Proxy 3128. Same rule same settings, only difference the XG Proxy in between. So submitting it to Sophos Labs will just give an all green but what makes Proxy behave differently?

Fred 

Hi Nilesh,

Sophos does flag it as suspicious but it is only dropped when accessing it tru XG proxy. Not when accessing it direct https (same rule same settings) or by Endpoint X.

Incosistancy of the detection engine.

Sophos does flag this url so I will submit it to Sophos Labs for review. I will be researching the difference between https and 3128 detection on the XG as IMHO there shouldn't be a difference.

create a support case, as by now, you'll never get a feedback if you submit a URL review and will not know, when or if Sophos changed something on their filters.

Done!