I have been doing some work today with my Sophos UTM. After loading the Dashboard, it appears that Advanced Threat Protection has detected Botnet/command-and-control traffic, on my network. After looking at the log, it appears that this activity is coming from three hosts, a laptop and two domain controllers (primary & secondary). I have looked at the live log for Advanced Threat Protection, and I have discovered that this traffic is being forwarded onto 194.168.4.100, which is Virgin Media's primary DNS server.
I have scanned the laptop and the two domain controllers with the Sophos Virus Removal Tool and all hosts report to be clean.
Screenshot from the Sophos UTM Dashboard
Screenshot from Recent Events
Screenshot from the Live Log, showing traffic from 10.0.2.14 (LAPTOP), going to 10.0.1.13 (PRIMARY DC/DNS) and traffic from 10.0.1.14 (SECONDARY DC/DNS) to 194.168.4.100 (VIRGIN MEDIA PRIMARY DNS).
Would this be a false positive? [:S]
This thread was automatically locked due to age.
