[9.191][NOTaBUG] Advanced Threat Protection

mod2402 over 11 years ago

My UTM shows an ATP alert (see images) but ATP log file is emty.

regards
mod

0 snowcrash_01 over 11 years ago

Yep,
ATP uses several 'helpers' to check. In your case the helper is the HTTP Proxy (origin=proxy). So you should find the information in http.log
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 mod2402 over 11 years ago

I have found the information in the normal http proxy log..
[HTML]2014:01:17-20:55:20 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf7c4698" url="data.flurry.com/.../Generic-A"
2014:01:17-20:56:21 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192038" url="data.flurry.com/.../Generic-A"
2014:01:17-20:57:54 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf4e5920" url="data.flurry.com/.../Generic-A"
2014:01:17-20:58:46 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192ab0" url="data.flurry.com/.../HTML]

This alert occurs if I start a german Quiz App on an Android phone.

regards
mod
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 mod2402 over 11 years ago

Hi snowcrash,

but for what is then the ATP log?

regards
mod
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sascha Paris over 11 years ago in reply to mod2402

I have found the information in the normal http proxy log..
[HTML]2014:01:17-20:55:20 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf7c4698" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="230" device="0" auth="0" virus="C2/Generic-A"
2014:01:17-20:56:21 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192038" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="183" device="0" auth="0" virus="C2/Generic-A"
2014:01:17-20:57:54 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0xf4e5920" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="236" device="0" auth="0" virus="C2/Generic-A"
2014:01:17-20:58:46 asg httpproxy[5779]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="POST" srcip="192.168.24.69" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2590" request="0x10192ab0" url="http://data.flurry.com/aap.do" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="191" device="0" auth="0" virus="C2/Generic-A" [/HTML]

This alert occurs if I start a german Quiz App on an Android phone.

regards
mod

Same issue here with my Android Tablets. There seems to be some games conecting there for some unknown reason. But I'd personally assume it most likely as a false positive...(or the Advanced Threat Protection Feature gives Sophos a advantage over the competitors missing that feature ?)
In Virustotal it's also classified solely by the Sophos Engine as Malicious
==> https://www.virustotal.com/de/url/0e99e3a74830fd4d8c5e166640a34d2ab6a1a4f0ee7113fd4c84993047977440/analysis/1390047019/
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sascha Paris over 11 years ago in reply to Sascha Paris

Ok...digged little deeper. Seems to be a well known annoyance if googling for that mentioned flurry URL.

A good description of it declares it as kind of "crappy adware", which makes it for me ok, if UTM ATP blocks that S***t, as those Android apps - especially games - are in my eyes anyway too much ad driven, and lot of those ad vendors doesn't respect your privacy at all (never wondered, why a crappy app needs access to your contacts, can read phonecalls, etc. ?)

==> VRT: Android.Counterclank: Malware or Adware?

[:@]
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Tinkerbell over 11 years ago in reply to mod2402

Hi snowcrash,

but for what is then the ATP log?

regards
mod

Hi mod,

Threats detected by firewall (in iptables), application control, dns are logged in aptp.log and threats found by http, ips are logged in their own files.

Best,
Bianca
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 mod2402 over 11 years ago

Hi Bianca,

thanks for this hint. Is there a way to just block this threat without an extra warning? I don't need a warning every time this event occurs.

regards
mod
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kofi over 11 years ago

Hi mod,

you can disable the notifications of atp events under Management -> Notifications -> Notifications.

Best,
Kofi

Edit: you find the setting in the Intrusion Prevention section
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 mod2402 over 11 years ago

Hi Kofi,

that's right, but that was not my question [;)] I just want disable the hint for these Android threat. Not all notifications. I want to be informed just for new threats with the exception of this one.

Is this possible?

regards
mod
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 kofi over 11 years ago

sorry, but thats not possible.

Best,
Kofi
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel