application filter events

Question

Hey, 
 since we installed Sophos XG we are getting a loads of app filter events regarding GaduGadu Messenger application. Strange is that this traffic is comming from almost all users and its like 100-1000 events per few minutes. Ofcourse nobody is actually using such an application. 
 anyone came across this? is it just false positive alarm or should we investigate further? Thanks 
 anonymized event:

messageid="17051" 
 log_type="Content Filtering" 
 log_component="Application" 
 log_subtype="Denied" 
 fw_rule_id="40" 
 fw_rule_name="LAN to WAN" 
 fw_rule_section="Local rule" 
 user="xxxxxx@xxx.xx" 
 user_group="Open Group" 
 appfilter_policy_id="8"

category="Instant Messenger" 
 app_name="GaduGadu Messenger" 
 app_risk="4" 
 app_technology="Client Server" 
 app_category="Instant Messenger" 
 src_ip="xxx.xxx.xxx.xxx" 
 src_country="R1" 
 dst_ip="141.95.47.55" 
 dst_country="FRA" 
 protocol="TCP" 
 src_port="49598" 
 dst_port="443" 
 bytes_sent="0" 
 bytes_received="0" 
 status="" 
 message="" 
 appresolvedby="Signature"

Vivek Jagad · Answer

Hello Jakub Kavka , Thank you for reaching out to the community, GaduGadu is an instant Messenger application which falls under the instant messenger category and it's risk level is 4: KBA - Sophos Firewall: How to prioritize the traffic via SD-WAN for the applications So, unde the rule no 40, if you have applied the following application filter applied: And you have the logged firewall rule option ticked and under the system services > log settings > content filtering > application filter options enabled: then you'll see the events generated under the log viewer and the action is denied. So this is genuine and fine if you want the application to be blocked in your organization !!

Vivek Jagad · Answer

characteristics of the application is widely used like to transfer files and also to tunnel other apps !!