{"id":27996,"date":"2022-12-12T18:17:33","date_gmt":"2022-12-12T17:17:33","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=27996"},"modified":"2022-12-12T18:17:33","modified_gmt":"2022-12-12T17:17:33","slug":"sophos-atp-reports-cloudflare-188-114-97-3-as-c2-generic-a-false-positive-dec-2022","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/12\/12\/sophos-atp-reports-cloudflare-188-114-97-3-as-c2-generic-a-false-positive-dec-2022\/","title":{"rendered":"Sophos ATP reports Cloudflare 188.114.97.3 as C2\/Generic-A (false positive) &#8211; Dec. 2022"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2022\/12\/12\/sophos-atp-stuft-cloudflare-188-114-97-3-als-c2-generic-a-ein-false-positive-dez-2022\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Quick survey or note to administrators who use Sophos security solutions (ATP). Currently it looks like the Sophos security products are misclassifying the Cloudflare IP address 188.114.97.3 as ATP C2\/Generic-A. After a blog reader informed me via a private Facebook message, some information on what I've found out so far.<\/p>\n<p><!--more--><\/p>\n<h2>Sophos ATP and C2\/Generic<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/7e8846b06e5d4660b00cb19c04adc8be\" alt=\"\" width=\"1\" height=\"1\" \/>Sophos ATP (Advanced Threat Protection) is a feature of the Sophos <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/17.5\/Help\/en-us\/webhelp\/onlinehelp\/index.html\" target=\"_blank\" rel=\"noopener\">XG Firewall<\/a>. <a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/17.5\/Help\/en-us\/webhelp\/onlinehelp\/nsg\/tasks\/ATPSettings.html\" target=\"_blank\" rel=\"noopener\">Advanced Threat Protection<\/a> analyzes inbound and outbound network traffic for threats. With ATP, administrators can quickly detect compromised clients on your network and log or delete traffic from those devices..<\/p>\n<p>A C2\/Generic alert in Sophos ATP only says that malicious traffic has been observed. It could be a false positive detection, and a search on the Internet for ATP C2\/Generic reveals a number of hits in recent years.<\/p>\n<h2>ATP classifies Cloudflare 188.114.97.3 as C2\/Generic-A ein<\/h2>\n<p>German blog reader Chris pointed me to <a href=\"https:\/\/community.sophos.com\/utm-firewall\/f\/german-forum\/137824\/atp-c2-generic-a-cloudflare-188-114-97-3?fbclid=IwAR1lL5hEL-SZxdOIYdgfrFDm9StTukZoU7Qe-Ggzfwx96zXIcNFY1dCJPYM\" target=\"_blank\" rel=\"noopener\">this discussion<\/a> on the Sophos forum as of December 12, 2022. As of Sunday, a German user is asking the following regarding a DNS query that was found at fault (I've translated the post):<\/p>\n<blockquote><p>ATP C2\/Generic-A Cloudflare 188.114.97.3 ?<\/p>\n<p>Good evening,<\/p>\n<p>Is there something to this why Sophos classifies the IP 188.114.97.3 as Malicious or again a FalsePositive?<\/p>\n<p>Our ATP of UTM9 reports this since Friday on DNS requests &#8230;<\/p>\n<p>..<\/p><\/blockquote>\n<p>Here is a screenshot from another source (private FB group on the subject).<\/p>\n<p><img decoding=\"async\" title=\"Sophos ATP false positive\" src=\"https:\/\/i.imgur.com\/wpK7vtx.png\" alt=\"Sophos ATP false positive\" \/><\/p>\n<p>The problem is confirmed by other users. Someone posted the following log entries.<\/p>\n<pre>2022:12:11-23:15:50 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#55357 (mastodon.lol): view default: rpz IP NXDOMAIN rewrite mastodon.lol via 32.3.97.114.188.rpz-ip.rpz\r\n2022:12:11-23:15:50 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#56326 (mastodon.lol): view default: rpz IP NXDOMAIN rewrite mastodon.lol via 32.3.97.114.188.rpz-ip.rpz\r\n2022:12:11-23:15:55 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#49629 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz\r\n2022:12:11-23:15:55 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#47000 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz\r\n2022:12:11-23:15:55 UTMFIREWALL named[6673]: rpz: client @0xb69a808 xxx.xxx.xxx.xxx#55935 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz\r\n2022:12:11-23:16:00 UTMFIREWALL named[6673]: rpz: client @0xaf8bc20 xxx.xxx.xxx.xxx#37920 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz\r\n2022:12:11-23:16:00 UTMFIREWALL named[6673]: rpz: client @0xaf8bc20 xxx.xxx.xxx.xxx#48306 (mindly.social): view default: rpz IP NXDOMAIN rewrite mindly.social via 32.3.97.114.188.rpz-ip.rpz<\/pre>\n<p>There are other voices in the thead reporting an Advanced Thread Protection alert from the firewall for additional addresses (e.g. Google DNS). Another user writes about this:<\/p>\n<blockquote><p>I have the same fun,<\/p>\n<p>At Virustotal the IP is only classified as malicious by Sophos and Webroot, yesterday there were 3 providers, I strongly suspect FalsePositive. the underlying DNS queries now look quite unremarkable at my end.<\/p>\n<p>Is there actually a direct place at Sophos, where one can report such FalsePositives for the purpose of renewed examination?<\/p><\/blockquote>\n<p>Currently I assume that the ATP alerts are a false positive. Is anyone else from the readership affected by this effect? Is there any more detailed information about it?<\/p>\n<p><strong>Addendum:<\/strong> On the forum, one affected person says \"The XGs are a bit more talkative, seems to be some Edge feature again. Maybe the automatically displayed messages? Microsoft itself will probably rather host nothing at Cloudflare&#8230;\" Since 2 hours the problem seems to be fixed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Quick survey or note to administrators who use Sophos security solutions (ATP). Currently it looks like the Sophos security products are misclassifying the Cloudflare IP address 188.114.97.3 as ATP C2\/Generic-A. After a blog reader informed me via a private Facebook &hellip; <a href=\"https:\/\/borncity.com\/win\/2022\/12\/12\/sophos-atp-reports-cloudflare-188-114-97-3-as-c2-generic-a-false-positive-dec-2022\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1319],"tags":[],"class_list":["post-27996","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/27996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=27996"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/27996\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=27996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=27996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=27996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}