We have many astaros in different organizations, We had different results
I had as many as 800 alerts in some of them and as low as 1. Some Astaros had NO alerts at all.
The networks that didn´t have any machines using Google DNS had 0 alerts.
In all of the others the number of alerts raised and suddenly stopped.
I think that Sophos discovered the false positive issue (for some reason they marked some google host as a C&C server) and then they change the policy affecting google.
What i would like to hear is an explanation from Shopos, because it gave us a hard time figuring out what was going out, with hundres of email alerts in our admins accounts.
No word from Sophos on this yet? Anyone know if a formal bug report was generated?
I think we'd all like a little re-assurance or guidance from the pros at this point. Or clarity on why a false positive would be generated on something like a DNS server.
This is giving me slightly less confidence in running the ATP system at all. I don't have all day to chase down false-positives. I mean I will... because you know, security, but what is Sophos doing to alleviate the problem?
If you have a paid license you can open up a support case to ask these questions of Sophos.
Sure I could, but that doesn't help out everyone here. Giving information in silos is not efficient. An open public announcement or information sharing is better for the community. I believe that the fact that nearly everyone, home or commercial users are affected means Sophos has a responsibility to respond to the community of dedicated users. Not just the ones who pay big bucks for support.
Sophos runs the risk of creating more users with an opinion like Holy on page 2.
I agree with you, but it's not the way Sophos chooses to conduct its' business, so we work with what we're given. Much more commonly, someone here will open up a support case, get the information and post back the response.
__________________ ACE v8/SCA v9.3
...still have a v5 install disk in a box somewhere.
The domains it is listing are not the false positives. However if you have your dns forwarding to a remote dns instead of the utm this is the result. You need to have your workstations access the utm as their priary dns. However for those with AD or some other internal dns you also need to setup request routing so that AD(or LDAP) queries get routed to the appropriate internal dns server. otherwise the utm has no way to discriminate which workstation/client/device is making the request triggering the ATP alerts.
