Sophos Central is the unified console for managing all your Sophos products. Sign into your account, take a tour, or start a trial from here. ATP also uses cloud-based sandboxing, which analyzes suspicious content, so that you can decide whether files are safe to allow. If an attack starts, ATP can prevent devices from connecting to command-and-control servers outside your network. Turn on every available security feature in the installed Sophos product on the endpoint like describes above. Isolate the endpoint from the network where the ATP has been detected; Log on to the WebAdmin and go to Logging & Reporting View Log Files. Check the following log files as ATP reports in all of them: http.log, ips.log, aptp.log.
The Firewall Management dashboard lets you see firewall activity at a glance.
Go to Firewall Management > Dashboard to see your activity.
You can see details of the following:
- Alerts
- Firewalls
- Advanced threat protection
- Intrusion prevention
- Web activity
Alerts
The Alerts section shows you statistics for alerts in Sophos Central. This shows all alerts, not just firewall alerts.
To see full details of all alerts, click View All Alerts.
To see a filtered list of alerts, click on the figure for the alert priority (High, Medium or Info).
At the main alerts list, you can investigate and take action against alerts.
Firewalls
The Firewalls section shows the current status of firewalls. You can see here if firewalls need attention for any of these reasons:
- Not connected
- Not managed
- License expiring
- Health issues
To see the full list of firewalls and resolve issues, click Show All Firewalls.
Advanced Threat Protection
This shows you statistics for threats detected by firewalls in the previous two hours.
Advanced threat protection (ATP) analyzes incoming and outgoing network traffic (for example, DNS requests, HTTP requests, and IP packets) for threats. Using ATP, you can quickly detect compromised clients in your network and raise an alert or drop the traffic from those clients.
ATP also uses cloud-based sandboxing, which analyzes suspicious content, so that you can decide whether files are safe to allow.
If an attack starts, ATP can prevent devices from connecting to command-and-control servers outside your network.
Intrusion Attacks
This shows statistics for intrusion prevention.
Intrusion prevention looks for anomalies in network traffic in order to detect and prevent denial of service (DoS) and other spoofing attacks.
In Sophos XG Firewall you can specify the action to take when anomalies are found.
Web activity
The graph shows web activity measured at five-minute intervals for the previous two hours.
First Seen: 29.01.2021
Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can
Nextcloud version (eg, 20.0.5): 20.0.7
Operating system and version (eg, Ubuntu 20.04): Ubuntu 16.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.46
PHP version (eg, 7.4): 7.4.12
Sophos Atp Logs
The issue you are facing:
The Sophos Firewall send a Criticall Mail with the following message:
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name…: C2/Generic-A
Details…: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time…: 2021-03-15 20:18:55
Traffic blocked: yes
Source IP address or host: “local IP nextcloud server”
A look into the Sophos Logs are saying:
threatname=“C2/Generic-A” dstmac='00:1a:8c:f0:51:60'dstip=“61.219.11.153”
Is this the first time you’ve seen this error? No
Steps to replicate it:
- Run a Nextcloud behind a Sophos SG Firewall
- Watch the Log
Just seen on two different nextcloud behind a Sophos SG Firewall, where the traffic to 61.219.11.153 is blocked.
Atp Phos
Why the nextcloud are trying to communicate with 61.219.11.153?