Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 48 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 296290 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection

YivgenyShipilevsky

Hello,

In last couple of days i start receive emails from my Sophos UTM (Firmware version 9.350-12)

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2016-03-20 06:41:17

Traffic blocked: yes

Source IP address or host: 218.60.112.225

Every Email include different IP Address but it's not my LAN Network. How i can find problematic machine (IP) from my local network ?



This thread was automatically locked due to age.
Parents
  • 0

    Does anyone experiencing this happen to have public IPs, "Any", or "Internet" listed under Network Services > DNS > Global > Allowed Networks?

    The DNS proxy is not designed to be left openly internet facing, and if anyone is, they are almost certainly being used as a proxy for DNS reflection attacks. If that's what's happening here, it seems the target of this particular attack, is also something we detect via ATP. 

    -Alan

  • 0 in reply to AlanT

    I saw this on multiple clients (over 10) -- The are all set to only internal for DNS Allowed Networks.  The only clients I have that were not affected are ones that geoblock China.

  • 0 in reply to CraigW
    I've had China geoblocked since Day 1 - I still got hit.
  • 0 in reply to CraigW

    Maybe they weren't hit because the portscan from china was unsuccessful?

    If a device doesn't block china, the portscan can poke and see that something is there so then they try hitting it again, hard.

    (apologies for double post, I still mistake what bloody page I am on because it doesn't tell me unless I check and recheck all the time)

  • 0 in reply to CraigW

    I too received these alerts.  I am new to this.  I have a host that is unable to connect to the web.  Curious if the UTM blocks outbound traffic of a host if a threat is detected?  If so, how do I unblock outbound traffic and get my host back up and running? 

    I can successfully ping google dns: 8.8.8.8

    But, browser will not connect?

    WD 250GB 5400 RPM 8 MB WD2500LPVX hard drive
    8GB RAM
    SUPERMICRO MBD-A1SAM-2550F-O uATX
    Sophos UTM 9.3

Reply
  • 0 in reply to CraigW

    I too received these alerts.  I am new to this.  I have a host that is unable to connect to the web.  Curious if the UTM blocks outbound traffic of a host if a threat is detected?  If so, how do I unblock outbound traffic and get my host back up and running? 

    I can successfully ping google dns: 8.8.8.8

    But, browser will not connect?

    WD 250GB 5400 RPM 8 MB WD2500LPVX hard drive
    8GB RAM
    SUPERMICRO MBD-A1SAM-2550F-O uATX
    Sophos UTM 9.3

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML