Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 3 subscribers
  • Views 10450 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 blocking Botnet traffic... but EP not finding anything...

DaveK67
I'm getting regular notifications that the firewall is blocking one of my systems from communicating with a known botnet site... but when I run an AV scan on that system it's coming up empty.  Any suggestions regarding 'step b'?  I'm trying other av and am products now to see if anyone else catches it - so far nothing is.  

UTM flags as 'C2/Generic-A' to destination 82.211.30.241 (IPTables).


This thread was automatically locked due to age.
Parents
  • 0
    it's because I thought it tied in better detection on the host with the UTM protections present in the gateway. I replaced a perfectly functioning A/V engine that would have told me which process on which interface accessed which prohibited network resource, etc. Is this not a function of the Sophos client?
    The integration comes in the form of being able to push a limited set of configuration options (including web filtering profiles) "downstream" to the clients via the intermediary broker service.  Much beyond that has to be done on the client systems themselves.

    You may want to poke through articles in the knowledgebase at https://secure2.sophos.com/en-us/support/knowledgebase/b/2450/2900/4850.aspx and https://secure2.sophos.com/en-us/support/knowledgebase/b/2450/2900/4900.aspx.

    There are a couple of articles in there about increasing logging levels client side for more information.
Reply
  • 0
    it's because I thought it tied in better detection on the host with the UTM protections present in the gateway. I replaced a perfectly functioning A/V engine that would have told me which process on which interface accessed which prohibited network resource, etc. Is this not a function of the Sophos client?
    The integration comes in the form of being able to push a limited set of configuration options (including web filtering profiles) "downstream" to the clients via the intermediary broker service.  Much beyond that has to be done on the client systems themselves.

    You may want to poke through articles in the knowledgebase at https://secure2.sophos.com/en-us/support/knowledgebase/b/2450/2900/4850.aspx and https://secure2.sophos.com/en-us/support/knowledgebase/b/2450/2900/4900.aspx.

    There are a couple of articles in there about increasing logging levels client side for more information.
Children
No Data