Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 296290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    Same here, at the first Time the was external addresses as source, after a while comes internal addresses too - but one of the address was a Windows Server, the other one was an OS X Client. I have no inbound DNS allowed, DNS relay only on internal interfaces. Configure Firewall that only DNS from my internal DNS Server can reach Google DNS Servers, no others. On my internal DNS Server create Zone for anmorencai.com and Geoblock China. After Reset the Counter yesterday, they give no warnings again.

    I update the Virusprotection on every Server and scan it, nothings found. Google Search found nothings about this URLs, only Sophos Community informations.

    Is it an false/positive?

Reply
  • 0

    Same here, at the first Time the was external addresses as source, after a while comes internal addresses too - but one of the address was a Windows Server, the other one was an OS X Client. I have no inbound DNS allowed, DNS relay only on internal interfaces. Configure Firewall that only DNS from my internal DNS Server can reach Google DNS Servers, no others. On my internal DNS Server create Zone for anmorencai.com and Geoblock China. After Reset the Counter yesterday, they give no warnings again.

    I update the Virusprotection on every Server and scan it, nothings found. Google Search found nothings about this URLs, only Sophos Community informations.

    Is it an false/positive?

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML