[German]Quick survey or note to administrators who use Sophos security solutions (ATP). Currently it looks like the Sophos security products are misclassifying the Cloudflare IP address 188.114.97.3 as ATP C2/Generic-A. After a blog reader informed me via a private Facebook message, some information on what I've found out so far.
Advertising
Sophos ATP and C2/Generic
Sophos ATP (Advanced Threat Protection) is a feature of the Sophos XG Firewall. Advanced Threat Protection analyzes inbound and outbound network traffic for threats. With ATP, administrators can quickly detect compromised clients on your network and log or delete traffic from those devices..
A C2/Generic alert in Sophos ATP only says that malicious traffic has been observed. It could be a false positive detection, and a search on the Internet for ATP C2/Generic reveals a number of hits in recent years.
ATP classifies Cloudflare 188.114.97.3 as C2/Generic-A ein
German blog reader Chris pointed me to this discussion on the Sophos forum as of December 12, 2022. As of Sunday, a German user is asking the following regarding a DNS query that was found at fault (I've translated the post):
ATP C2/Generic-A Cloudflare 188.114.97.3 ?
Good evening,
Is there something to this why Sophos classifies the IP 188.114.97.3 as Malicious or again a FalsePositive?
Our ATP of UTM9 reports this since Friday on DNS requests …
..
Here is a screenshot from another source (private FB group on the subject).
Advertising
The problem is confirmed by other users. Someone posted the following log entries.
2022:12:11-23:15:50 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#55357 (mastodon.lol): view default: rpz IP NXDOMAIN rewrite mastodon.lol via 32.3.97.114.188.rpz-ip.rpz 2022:12:11-23:15:50 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#56326 (mastodon.lol): view default: rpz IP NXDOMAIN rewrite mastodon.lol via 32.3.97.114.188.rpz-ip.rpz 2022:12:11-23:15:55 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#49629 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz 2022:12:11-23:15:55 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#47000 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz 2022:12:11-23:15:55 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#55935 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz 2022:12:11-23:16:00 UTMFIREWALL named[6673]: rpz: client @0xaf8bc20 xxx.xxx.xxx.xxx#37920 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz 2022:12:11-23:16:00 UTMFIREWALL named[6673]: rpz: client @0xaf8bc20 xxx.xxx.xxx.xxx#48306 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz
There are other voices in the thead reporting an Advanced Thread Protection alert from the firewall for additional addresses (e.g. Google DNS). Another user writes about this:
I have the same fun,
At Virustotal the IP is only classified as malicious by Sophos and Webroot, yesterday there were 3 providers, I strongly suspect FalsePositive. the underlying DNS queries now look quite unremarkable at my end.
Is there actually a direct place at Sophos, where one can report such FalsePositives for the purpose of renewed examination?
Currently I assume that the ATP alerts are a false positive. Is anyone else from the readership affected by this effect? Is there any more detailed information about it?
Addendum: On the forum, one affected person says "The XGs are a bit more talkative, seems to be some Edge feature again. Maybe the automatically displayed messages? Microsoft itself will probably rather host nothing at Cloudflare…" Since 2 hours the problem seems to be fixed.
