Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 26 replies
  • Subscribers 11 subscribers
  • Views 59002 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A and C2/Generic-C False Positive Issues

Gio Stefani

Having a specific endpoint that is reporting false positives for applications I know for a fact are not malware or viruses.  Already opened a support ticket with Sophos and sent the SDU. This particular endpoint is running Windows 10 Enterprise "Fall Creators" edition build 1709.  It continues to have communication (MCS) issues with Sophos Central.  Of course, our XG firewall is flagging it as a risk.  Unfortunately I can't go back to a prior Windows build (1703).  Was curious if others are having this issue?



This thread was automatically locked due to age.
Parents

  • I assume the C2 detections are made at the client by the MTD component if it's not a browser process making the connection?

    The application could be genuine but a C2 detection is more about what it is connecting to as a C2 detection is based on Sophos Labs classifying a site as being malicious.

    What is the application and what is the IP/site?

    Do the logs under:

    C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs

    reference this detection?

  • in reply to jak

    Jak,

    chrome.exe is the browser process making the connection.  I know for a fact it is clean,  The other app is my recipe manager (Paprika, Paprika.exe) that I've used for years. This didn't start happening until a recent client update somewhere around November.  We are a Sophos partner and have many clients running Windows 10 (Pro or Enterprise), but not the "Fall Creators" edition without any issues.  Even at our site, only my laptop is running "Fall Creators" edition.  The log file you talk about is actually under C:\ProgramData\Sophos\Sophos Anti-Virus\logs in a file called SAV.txt and both are listed.  The other issue is MCS (Management Communication System) which is broken.  I can remove Chrome and Paprika and still it won't clear in SC. I'm trying to find the thread I ran across regarding Sophos EAP and Windows 10 "Fall Creators" edition as others seem to be having issues. The are a couple of plugins in Chrome that may be flagged as "Command and Control" (C2), but those same plugins are running in Firefox as well and no issues there.  I may just remove Chrome altogether and whitelist the Paprika app and be done with it, or until Sophos development team figures this out.

    Here is some of the output of the SAV.log file:

    20171229 041759 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171229 041759 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171229 041803 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'.
    20171229 041803 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'.
    20171229 041804 File "C:\program files (x86)\paprika recipe manager\Paprika.exe" belongs to virus/spyware 'C2/Generic-C'.
    20171229 041804 Virus/spyware 'C2/Generic-C' is not removable.

  • in reply to Gio Stefani

    Does the SNTP log file under:

    "C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\"

    ...not tell you where the Paprika.exe and svchost.exe process are talking to which is causing the detection?

    It maybe well be once you find the IP/domain that Sophos Labs have defined to be a C2 site you can ask them for a reason.

    Note: You can test the classification by just navigating to the site/ip in the browser.

    In the meantime/in parallel, you can make a file/folder exclusion in the "Threat Protection" part of the policy (or global excluisions) for the process name or path and it will set it under:

    C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml

    For example, you can make a "file" exclusion for:

    C:\program files (x86)\paprika recipe manager\Paprika.exe

    ...this will then not be checked by MTD.

    Regards,

    Jak

  • in reply to jak

    Jak,

    Yes, the log file does show their website: www.paprikaapp.com. This is used to sync grocery lists to my mobile phone via their site.  I've already put an exclusion in SC, but because of the MCS issue, the policy isn't applying.  Thanks for the location of the .XML.  I'll make the exclusion there until there is a fix for the MCS issue. Just made the following entry:

    <?xml version="1.0"?>
<policy xmlns="com.sophos\mansys\policy" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns:xsi="www.w3.org/.../XMLSchema-instance">
  <csc:Comp xmlns:csc="com.sophos\msys\csc" policyType="24" RevID="57a918187be6cb40569fe51f0c259a834f6fe53427fe6e4ac284dd2b0a95e526"/>
  <configuration xmlns="www.sophos.com/.../NetworkThreatProtection.xsd">
    <enabled>true</enabled>
    <connectionTracking>true</connectionTracking>
    <exclusions>
      <filePathSet>
        <filePath>D:\Users\Gio\SyncedFolder</filePath>
      </filePathSet>
	  <filePathSet>
        <filePath>"C:\Program Files (x86)\Paprika Recipe Manager\Paprika.exe"</filePath>
      </filePathSet>
    </exclusions>
  </configuration>
</policy>

    The last issue is how I clear the event.  I removed Chrome, but the event still displays.  Typically, I clear it from SC and acknowledge the event which clears it on the endpoint.

  • in reply to Gio Stefani

    This is most likely a false positive issue related to:

    You should be able to just acknowledge the alerts in Sophos Central on each endpoint to clear them.

  • in reply to Greg CT

    Greg, Please read the rest of my prior comments.  It's been cleared in SC, but because of the MCS issue, it never clears at the endpoint (this one in particular).

  • in reply to Greg CT

    Also, I've already seen that thread.  Has nothing to do with my issue.

  • in reply to Gio Stefani

    Is the problem with MCS evident in the MCS Client log as found under:

    C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\

    Also from this exclusions:

    <filePath>D:\Users\Gio\SyncedFolder</filePath>

     

    I assume that should have a trailing backslash so to exclude the directory SyncedFolder rather than a file called SyncedFolder?

    For directory exclusions, they always need a trailing backslash.

    Regards,

    Jak

  • in reply to jak

    I'll take a look, but its a known issue in this article: 

    https://community.sophos.com/kb/en-us/125463

    Windows 10 "Fall Creators" edition and how it handles "WinHttpSendRequest" due to changes in the HTTP Response Codes.

  • in reply to jak

    That part I did via SC exclusion and you are correct, I forgot the "\".  

    Thanks for the catch!

    Gio

  • in reply to jak

    For me, performing a Nslookup for paprikaapp.com gives:

    Name: paprikaapp.com
    Address: 66.228.42.100

    and checking with this service:

    https://dnschecker.org/#A/paprikaapp.com

    That seems to be the sole IP geographically.

    This IP/domain doesn't appear to be a site that is flagged by Sophos Labs.

    I assume you're computer resolves that same IP?

    What IP is the application connecting to that is causing the alert?  Can you use Wireshark, Process Monitor (network), etc.. 

    I tried installing the trial but that doesn't have the cloud sync option.

    Regards,

    Jak

Reply
  • in reply to jak

    For me, performing a Nslookup for paprikaapp.com gives:

    Name: paprikaapp.com
    Address: 66.228.42.100

    and checking with this service:

    https://dnschecker.org/#A/paprikaapp.com

    That seems to be the sole IP geographically.

    This IP/domain doesn't appear to be a site that is flagged by Sophos Labs.

    I assume you're computer resolves that same IP?

    What IP is the application connecting to that is causing the alert?  Can you use Wireshark, Process Monitor (network), etc.. 

    I tried installing the trial but that doesn't have the cloud sync option.

    Regards,

    Jak

Children
  • in reply to jak

    Jak,

    I do have Wireshark and ProcMon loaded on my laptop.  I use whatsmydns.com and my laptop resolves to the same IP 66.228.42.100.

  • in reply to Gio Stefani

    I can only think that Paprika.exe is connecting to a different IP/domain than paprikaapp.com/66.228.42.100 leading to the detection.

    Both paprikaapp.com and 66.228.42.100 do not appear to be classified by Sophos Labs as a C2 site.

    If you can reproduce the issue, maybe you can run Process Monitor with just the Networking capturing so see what the process connects to. Ideally restarting the Paprika.exe process to cover the initial connection.

    Maybe even the built in Resource Monitor application (as launched from Task Manager Performance tab) would do, the Network view shows the addresses the processes are talking to in real-time but the connection may come and go too quickly to see there.  At least Process Monitor will keep the history.

    Microsoft Message Analyzer is another application that also gives the process to network traffic mapping.

    Regards,

    Jak

  • in reply to jak

    I can also look a little deeper on our XG firewall as well.

  • in reply to jak

    What is interesting is after removing Chrome (C:\Program Files (x86)\Google\Chrome), it's still flagging an alert.  I can't get access to that folder to delete it. I'll have to disable "Tamper Protection" I think to delete it since its locked down.

  • in reply to jak

    Jax,

     

    So even though I clear the Alert in SC, I can't clear the "Security Health" - "Running malware in quarantine or cleanup failure".  I was able to delete the Google\Chrome directory and their is nothing in the INFECTED directory.

     

  • in reply to Gio Stefani
    Gio, does your paprika app use http or https for coms? Http would be vulnerable to dns spoofing. Perhaps it got sent to a bad IP and downloaded the payload. Personally I wouldn’t ignore any files in endpoint. The Sophos docs are a bit vague about C2/generic, they say it’s not the traffic as such but the domain/IP, but then why have generic-A and generic-B. And these days what fool runs Command and control on a static IP/domain? If I wrote malware I’d cloud host it, and use those amazingly obscure domain names direct into Azure/AWS. Constantly changing so no domain or IP could be blacklisted. Svchost problems could well indicate rooting (in my case chrome in userspace compromised svchost, and from there it gets very vague). I’d reformat the workstations. What’s the line from Alien 2, “nuke the entire site from orbit. It's the only way to be sure”! If that’s too extreme, keep an eye on your root certs. If I were making this stuff, a bad root cert would be a great way to leverage workstation control.
  • in reply to MrMuishond
    community.sophos.com/.../125463 is a classic. You’re getting a security alert, so turn off tamper protection and, as administrator, bodge the endpoint address!
  • in reply to MrMuishond

    Already followed this article and everything checks out.  I've already generated an SDU and opened a support ticket with Sophos.  They are taking their sweet time getting back to me on this which bothers me a bit on the support turnaround.

Unfiltered HTML