Sophos Firewall ATP blocks network connection for Nextcloud

Support intro

First Seen: 29.01.2021

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): 20.0.7
Operating system and version (eg, Ubuntu 20.04): Ubuntu 16.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.46
PHP version (eg, 7.4): 7.4.12

The issue you are facing:
The Sophos Firewall send a Criticall Mail with the following message:

Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name…: C2/Generic-A
Time…: 2021-03-15 20:18:55
Traffic blocked: yes
Source IP address or host: “local IP nextcloud server”

A look into the Sophos Logs are saying:
threatname=“C2/Generic-A” dstmac="00:1a:8c:f0:51:60"dstip=“”

Is this the first time you’ve seen this error? No

Steps to replicate it:

  1. Run a Nextcloud behind a Sophos SG Firewall
  2. Watch the Log

Just seen on two different nextcloud behind a Sophos SG Firewall, where the traffic to is blocked.

Why the nextcloud are trying to communicate with

We have exactly the same behavior with our Sophos Firewall.We also have the IP address detected as a C2/Generic-A threat in Advanced Threat Protection. We are currently using Nextclouzd 18.0.14. Does anyone have an explanation for this?

I wonder if a particular app is triggering this. I too have sophos & nextcloud 20.0.7 but have not encountered this alert.

List of active apps:



You have misunderstood something.
It’s about the Sophos Firewall ATP, not about an app.
Sophos Firewall ATP is a Advanced Threat Protection for corporate networks.

No he did not. He asked a perfectly legitimate and obvious question. Something on your server is trying to connect to this IP address. If it is not Nextcloud itself, it could be a 3rd party app within Nextcloud. Therefore he listed the apps he has installed, so that you can compare them to yours.