Malware traffic detected by Sophos UTM?

Hello, while my laptop was idling my Sophos UTM detected a C&C traffic from that machine to a remote server
Browsing to that ftp /manjaro blocks the traffic with the message:
The content is blocked due to the following condition:
You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.

Is it a false positive?
Is the ftp site recognized and well known?!
And why my laptop is talking to a ftp server while not used in the first place?
Thanks in advance for reply.

It’s a repository mirror. Your computer is probably just checking for updates.

Thanks for the reply. I will report a false positive to Sophos then. But this never happened before, that is why I was concerned…

Manjaro systems comes with Pamac - which handles periodical check for updates - this is a background service - and you can disable the check - but doing so requires you to manually check for updates from time to time.

Another activity you will discover at some point - is NetworkManager which uses an internet address discover if network is up and connected. ([] - if I recall correct)

You can control which mirror(s) is used by using the pacman-mirrors utility.

It will also connect to ( not sure about the previously mentioned for connectivity checks.
The specific file is /usr/lib/NetworkManager/conf.d/20-connectivity.conf:


You can delete that file, comment it out, override it with a new file /etc/NetworkManager/conf.d/20-connectivity.conf, or increase the time between checks with e.g.:


I changed mine to 36000

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.