C2/Generic-A and C2/Generic-C False Positive Issues

I assume the C2 detections are made at the client by the MTD component if it's not a browser process making the connection?

The application could be genuine but a C2 detection is more about what it is connecting to as a C2 detection is based on Sophos Labs classifying a site as being malicious.

What is the application and what is the IP/site?

Do the logs under:

C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs

reference this detection?

Jak,

chrome.exe is the browser process making the connection.  I know for a fact it is clean,  The other app is my recipe manager (Paprika, Paprika.exe) that I've used for years. This didn't start happening until a recent client update somewhere around November.  We are a Sophos partner and have many clients running Windows 10 (Pro or Enterprise), but not the "Fall Creators" edition without any issues.  Even at our site, only my laptop is running "Fall Creators" edition.  The log file you talk about is actually under C:\ProgramData\Sophos\Sophos Anti-Virus\logs in a file called SAV.txt and both are listed.  The other issue is MCS (Management Communication System) which is broken.  I can remove Chrome and Paprika and still it won't clear in SC. I'm trying to find the thread I ran across regarding Sophos EAP and Windows 10 "Fall Creators" edition as others seem to be having issues. The are a couple of plugins in Chrome that may be flagged as "Command and Control" (C2), but those same plugins are running in Firefox as well and no issues there.  I may just remove Chrome altogether and whitelist the Paprika app and be done with it, or until Sophos development team figures this out.

Here is some of the output of the SAV.log file:

20171229 041759 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
20171229 041759 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
20171229 041803 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'.
20171229 041803 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'.
20171229 041804 File "C:\program files (x86)\paprika recipe manager\Paprika.exe" belongs to virus/spyware 'C2/Generic-C'.
20171229 041804 Virus/spyware 'C2/Generic-C' is not removable.

Does the SNTP log file under:

"C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\"

...not tell you where the Paprika.exe and svchost.exe process are talking to which is causing the detection?

It maybe well be once you find the IP/domain that Sophos Labs have defined to be a C2 site you can ask them for a reason.

Note: You can test the classification by just navigating to the site/ip in the browser.

In the meantime/in parallel, you can make a file/folder exclusion in the "Threat Protection" part of the policy (or global excluisions) for the process name or path and it will set it under:

C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml

For example, you can make a "file" exclusion for:

C:\program files (x86)\paprika recipe manager\Paprika.exe

...this will then not be checked by MTD.

Regards,

Jak

Jak,

Yes, the log file does show their website: www.paprikaapp.com. This is used to sync grocery lists to my mobile phone via their site.  I've already put an exclusion in SC, but because of the MCS issue, the policy isn't applying.  Thanks for the location of the .XML.  I'll make the exclusion there until there is a fix for the MCS issue. Just made the following entry:

<?xml version="1.0"?>
<policy xmlns="com.sophos\mansys\policy" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns:xsi="www.w3.org/.../XMLSchema-instance">
  <csc:Comp xmlns:csc="com.sophos\msys\csc" policyType="24" RevID="57a918187be6cb40569fe51f0c259a834f6fe53427fe6e4ac284dd2b0a95e526"/>
  <configuration xmlns="www.sophos.com/.../NetworkThreatProtection.xsd">
    <enabled>true</enabled>
    <connectionTracking>true</connectionTracking>
    <exclusions>
      <filePathSet>
        <filePath>D:\Users\Gio\SyncedFolder</filePath>
      </filePathSet>
	  <filePathSet>
        <filePath>"C:\Program Files (x86)\Paprika Recipe Manager\Paprika.exe"</filePath>
      </filePathSet>
    </exclusions>
  </configuration>
</policy>

The last issue is how I clear the event.  I removed Chrome, but the event still displays.  Typically, I clear it from SC and acknowledge the event which clears it on the endpoint.

This is most likely a false positive issue related to:

You should be able to just acknowledge the alerts in Sophos Central on each endpoint to clear them.

Greg, Please read the rest of my prior comments.  It's been cleared in SC, but because of the MCS issue, it never clears at the endpoint (this one in particular).

Also, I've already seen that thread.  Has nothing to do with my issue.

Is the problem with MCS evident in the MCS Client log as found under:

C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\

Also from this exclusions:

<filePath>D:\Users\Gio\SyncedFolder</filePath>

I assume that should have a trailing backslash so to exclude the directory SyncedFolder rather than a file called SyncedFolder?

For directory exclusions, they always need a trailing backslash.

Regards,

Jak

I'll take a look, but its a known issue in this article: 

https://community.sophos.com/kb/en-us/125463

Windows 10 "Fall Creators" edition and how it handles "WinHttpSendRequest" due to changes in the HTTP Response Codes.

That part I did via SC exclusion and you are correct, I forgot the "\".  

Thanks for the catch!

Gio

That part I did via SC exclusion and you are correct, I forgot the "\".  

Thanks for the catch!

Gio