Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 13 replies
  • Subscribers 0 subscribers
  • Views 4016 views
  • Users 0 members are here
Options
Suggested

[9.191][NOTaBUG] Advanced Threat Protection

mod2402
My UTM shows an ATP alert (see images) but ATP log file is emty.

regards
mod
Parents
  • 0
    I have found the information in the normal http proxy  log..
    [HTML]2014:01:17-20:55:20 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf7c4698" url="data.flurry.com/.../Generic-A"
    2014:01:17-20:56:21 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192038" url="data.flurry.com/.../Generic-A"
    2014:01:17-20:57:54 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf4e5920" url="data.flurry.com/.../Generic-A"
    2014:01:17-20:58:46 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192ab0" url="data.flurry.com/.../HTML]

    This alert occurs if I start a german Quiz App on an Android phone.

    regards
    mod
  • 0 in reply to mod2402
    I have found the information in the normal http proxy  log..
    [HTML]2014:01:17-20:55:20 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf7c4698" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="230" device="0" auth="0" virus="C2/Generic-A"
    2014:01:17-20:56:21 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192038" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="183" device="0" auth="0" virus="C2/Generic-A"
    2014:01:17-20:57:54 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf4e5920" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="236" device="0" auth="0" virus="C2/Generic-A"
    2014:01:17-20:58:46 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192ab0" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="191" device="0" auth="0" virus="C2/Generic-A" [/HTML]

    This alert occurs if I start a german Quiz App on an Android phone.

    regards
    mod


    Same issue here with my Android Tablets. There seems to be some games conecting there for some unknown reason. But I'd personally assume it most likely as a false positive...(or the Advanced Threat Protection Feature gives Sophos a advantage over the competitors missing that feature ?)
    In Virustotal it's also classified solely by the Sophos Engine as Malicious
    ==> https://www.virustotal.com/de/url/0e99e3a74830fd4d8c5e166640a34d2ab6a1a4f0ee7113fd4c84993047977440/analysis/1390047019/
Reply
  • 0 in reply to mod2402
    I have found the information in the normal http proxy  log..
    [HTML]2014:01:17-20:55:20 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf7c4698" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="230" device="0" auth="0" virus="C2/Generic-A"
    2014:01:17-20:56:21 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192038" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="183" device="0" auth="0" virus="C2/Generic-A"
    2014:01:17-20:57:54 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf4e5920" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="236" device="0" auth="0" virus="C2/Generic-A"
    2014:01:17-20:58:46 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192ab0" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="191" device="0" auth="0" virus="C2/Generic-A" [/HTML]

    This alert occurs if I start a german Quiz App on an Android phone.

    regards
    mod


    Same issue here with my Android Tablets. There seems to be some games conecting there for some unknown reason. But I'd personally assume it most likely as a false positive...(or the Advanced Threat Protection Feature gives Sophos a advantage over the competitors missing that feature ?)
    In Virustotal it's also classified solely by the Sophos Engine as Malicious
    ==> https://www.virustotal.com/de/url/0e99e3a74830fd4d8c5e166640a34d2ab6a1a4f0ee7113fd4c84993047977440/analysis/1390047019/
Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?