Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 1363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Receiving Intrusion Prevention Alert Daily With No Information To Treat It

Mathew Smith

Hi Everyone,

One one of our Sophos XG applicanaces, we are receiving this alert daily, but it does not provide any information on what to do to prevent it. If you click on the link provided in the alert, it takes you to the Sophos knowledge base, but within the knowledge base, there is no reference to this alert.

Subject: *ALERT* Sophos XG Firewall - Intrusion prevention alert (Critical)

Body:

Alert ID: 7002
Message:
PROTOCOL-IMAP Dovecot and Pigeonhole Remote Code Execution Vulnerability

Also, Googling this alert in quotes does not bring up any KB articles for Sophos.

Any suggestions would be great.

Cheers,

Mathew



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mathew,

    is the alert caused by one device or many and what mail client are you using? I also see many of these errors on my new XG115W but not on my old machine. I suspect that I have disabled the IPS signature because the attack is quite olden I think applied to MS servers?

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hello,

    From what I can see, only receiving this alert from the one firewall.

    We are using full Microsoft 365 for mail. So I suspect there is some old software running somewhere that uses Dovecot.

  • 0 in reply to Mathew Smith

    Is there any old software running that uses Dovecot? If not, then probably it is a false positive.

    Even then, if you want to check more information on this, you can login on the firewall and open the log viewer at the IPS tab and search with the signature name "PROTOCOL-IMAP Dovecot and Pigeonhole" (You can copy paste from the e-mail.)

    While searching on the IPS tab, it should give some information on which device is being affected, source ip and destination ip, together with the time when it happened.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Reply
  • 0 in reply to Mathew Smith

    Is there any old software running that uses Dovecot? If not, then probably it is a false positive.

    Even then, if you want to check more information on this, you can login on the firewall and open the log viewer at the IPS tab and search with the signature name "PROTOCOL-IMAP Dovecot and Pigeonhole" (You can copy paste from the e-mail.)

    While searching on the IPS tab, it should give some information on which device is being affected, source ip and destination ip, together with the time when it happened.

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?