I’m seeing this on all the security reports I get. One of them even showed 400mb of data transfer.
I know for a fact none of the users have or are using Thunder vpn so my question is is this a false positive and if so from what?
Its annoying seeing a level 5 high concern app show on my reports weekly so I have to check just in case every time.
We see it all the time at well
Looks like there was an Error in die IPS Pattern: https://community.sophos.com/sophos-xg-firewall/f/discussions/129054/any-experience-with-an-excessive-number-of-thundervpn-hits/
Probably False Positive. A lot of NTP Traffic go flagged as Thunder VPN.
We had similar detections flooding our XG IPS Logs which are mostly resolved now.
The app detection in XG is open source trash. “Oh hey there is high risk VPN traffic but that’s all we can help you with LOL.”
I guess the question is: how do you “know for a fact” that no users are running it? The reports should show you which user, or at least which IP address, the traffic is coming from. Is it a user desktop? A mobile device? Could it be running in a portable/non-installed mode?
If you have Sophos Intercept X on your endpoints, you should get additional visibility into where exactly the traffic is coming from.
What alternative do you suggest?
Yes on the one with 500mb transfer I checked the two pcs that the traffic was coming from and nothing. The users were also not the type they would go near anything like that.
It just seems very odd across like 8 different customers this thunder vpn shows on every single one ranging from 8kb transfer to 500mb. Even customers who have completely separate wifi which doesn’t go through the sophos.
I’ll have a look at sophos endpoint to see if I can get more info .
Cheers
Found out the destination ips were google ips and some were zoom ips. So what gives there ? That obviously isn’t thunder vpn then.