First ATP Reported

John, You have to be able to determine what domain lookup is be requested by your client(s). Once you know the domain then you can lookup to up using IPVoid, VirusTotal, etc to see the severity of what is malicious. The rule(s) on the XG that fire based on DNS traffic like this are to let you know that something on your network (in this case since it is your DNS Server) is requesting a domain that matches this signature.

There is just not enough logging detail in the XG (not its fault) when this fires and you have to look at the DNS server itself to determine what client(s) and what domain(s) are causing this rule to trigger.

Hope this helps. Merry Christmas & Happy New year.

-Ron

Thanks Ron.   Appreciate the insight.

The URL in the ATP reports is .

This is what is coming back clean via some online lookups, so unsure if the clean reports are legit or the ATP reports.  I think it was something bad in the signature, but no proof as of yet.

Merry Christmas and Happy New Year to you as well.

Cheers,

John

Seeing the same on my newly deployed SG reporting the host was an all in one (exchange server)

Any idea?

Looks to me like a false positive. Anyone know what threat feed the XG use? If we can track down the source maybe we can fix (or confirm, or limit the scope of) the issue/impact.

I don't mind an email from my appliance with a false positive, but I'd like to be able to tune it so I don't keep getting the same false positives after investigation.

FYI for those following the thread: This should be resolved now. You should probably contact Sophos if you're still experiencing this error for this specific URL.

When was it resolved? Last log was 12-28-2017 @ 3.10PM EST.

Sometime this morning. Keep an eye out for new alerts but you shouldn't see any more.