Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 7610 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to create an exception for a site that I am getting an INDICATOR-COMPROMISE Suspicious .pw error

Brian White

I am trying to access a site and I am getting an error in the Intrusion Prevention System (Live Log).   I tried to create an exception with the IP of the website I am trying to access but that does not work.   It works when I disable IPS.  I am running a Home Sophos UTM9, Firmware version 9.409-9.

 

Any suggestions

 

Thanks

Brian

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Brian, and welcome to the UTM Community!

    I'm not familiar with that, so I suspect that it's a bit different from what you wrote - please show a picture of the message.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Here is part of the message in the Intrusion Prevention System Log.   if you need anything else, let me know.   I am trying to access a URL with the .pw extension...

     

  • 0 in reply to Brian White

    I was not able to find an actual .pw site.  I would suspect the error is an actual DNS issue rather than an IPS issue.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Here is the site I am trying to access.  I can access the site by going around the UTM or turning off the IPS.

     

    http://vector.pw

     

     

    Thanks

    Brian

  • 0 in reply to Brian White

    "DNS query" was the missing detail, Brian.  There are some top-level domains (TLDs) that are known to be used primarily for nefarious activities, so Advanced Threat Protection flags the DNS query and this block is reported in the Intrusion Prevention log.  I suspect that you could have disabled ATP instead of Snort and then been able to do the DNS query.

    Google tld pw and you will see what the problem is.  The domain vector.pw has now been completely removed and is no longer available for registration.  If your PC or UTM still has an IP for that, you can see where it is at http://www.ip2location.com/demo.

    Most people prefer to Block a TLD when they get this warning.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Brian White

    "DNS query" was the missing detail, Brian.  There are some top-level domains (TLDs) that are known to be used primarily for nefarious activities, so Advanced Threat Protection flags the DNS query and this block is reported in the Intrusion Prevention log.  I suspect that you could have disabled ATP instead of Snort and then been able to do the DNS query.

    Google tld pw and you will see what the problem is.  The domain vector.pw has now been completely removed and is no longer available for registration.  If your PC or UTM still has an IP for that, you can see where it is at http://www.ip2location.com/demo.

    Most people prefer to Block a TLD when they get this warning.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML