Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 2949 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Understanding IPS Alerts

Melissa Ferguson

I have been receiving 2 IPS alerts regularly. The XG appears to drop the packet, but I am trying to understand the alert and make sure that I don't start disregarding alerts that need attention.

The one happens several times a day. 


SCAN Zgrab Scanning Attempt Detected - The Destination is my mail server and the source IP address changes but goes back to digitalocean.com

The other one is FILE-OFFICE Adobe Acrobat ImageConversion JPEG Out-of-Bounds Read and the source IP is Akamai Technologies, Inc. and the destination is a user device.

I am not sure what I need to do with the information provided to determine if more attention needs to be given to these alerts. Any help is appreciated.



This thread was automatically locked due to age.
  • +1

    Hello there,

    Thank you for contacting the Sophos Community.

    For the File-Office take a look at this CVE it looks like the user might be using an old version of Adobe, if the customer is using an old version Adobe recommends to update, if the user is not using an old version and the XG keeps detecting it, it might be a false positive to which you will need to open a case with support to get a packet capture so Labs can analyze the traffic and confirm.

    It would be the same for the SCAN one. I think this might be an incorrect detection.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Thank you. The user doesn't have Adobe installed on his device (phone), I assume it is using iBooks app to view PDFs.

    I will get a case opened since the SCAN one appears regularly.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?