Reply
Advisor
jasimon9
Posts: 18
Registered: ‎05-06-2012
0
Accepted Solution

Sophos tries to contact a server on my company VPN

Periodically my outbound firewall LittleSnitch tells me that Sophos AV for Mac is trying to contact the IP at 10.0.0.98. This would be the address of the DNS nameserver that my company operates over a VPN.

 

Why would Sophos be trying to contact this server?

VIP
QC
Posts: 262
Registered: ‎11-02-2010
0

Re: Sophos tries to contact a server on my company VPN

Hello jasimon9,

 

for AutoUpdate the download server has to be resolved - this should happen in 1 hour intervals. In addition if Live Protection is enabled when a lookup-enabled detection is triggered.

 

Christian

Employee
Agile
Posts: 1,195
Registered: ‎11-02-2010
0

Re: Sophos tries to contact a server on my company VPN

Just to clarify: Live Protection uses custom DNS requests to contact Sophos regarding suspicious files.  The DNS lookup request is actually transferring the data to be examined to the Live Protection server; the response to this request contains the "good/bad" verdict.  This data does not contain any actual content from your computer, but contains a hash of the flagged file, to be compared to known hashes in the Live Protection system.  For it to work, Little Snitch has to let these queries go through.

 

If you have auto-update and live protection disabled, Little Snitch should not be triggering any Sophos-related connection attempts.

-
Andrew
Threat Researcher
SophosLabs


For our other self-service and peer-to-peer online support systems:


Advisor
jasimon9
Posts: 18
Registered: ‎05-06-2012
0

Re: Sophos tries to contact a server on my company VPN

I think your answer further clarifies how Live Protection works.

Advisor
jasimon9
Posts: 18
Registered: ‎05-06-2012
0

Re: Sophos tries to contact a server on my company VPN

Yes, I do have Live Protection enabled. What I gather from your response is that Sophos AV needs to make a DNS call in order to contact the Sophos server. This seems perfectly normal. It just so happens that we use our own DNS server on our VPN. So that explains it.

 

My original question arose because it seemed like "it kept doing this". This may be an artifact of my use of Sophos, in that I probably cleared some rules, so the rules had to be set up again. Plus I probably only created temporary rules, and thus the notifcations from LittleSnitch recurred. Finally, there have been some threat reports recently of malware in emails filtered by my spam filter. So this again all makes sense.

 

Thanks for your response.