C2/Generic-A and C2/Generic-C False Positive Issues

I assume the C2 detections are made at the client by the MTD component if it's not a browser process making the connection?

The application could be genuine but a C2 detection is more about what it is connecting to as a C2 detection is based on Sophos Labs classifying a site as being malicious.

What is the application and what is the IP/site?

Do the logs under:

C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs

reference this detection?

Jak,

chrome.exe is the browser process making the connection.  I know for a fact it is clean,  The other app is my recipe manager (Paprika, Paprika.exe) that I've used for years. This didn't start happening until a recent client update somewhere around November.  We are a Sophos partner and have many clients running Windows 10 (Pro or Enterprise), but not the "Fall Creators" edition without any issues.  Even at our site, only my laptop is running "Fall Creators" edition.  The log file you talk about is actually under C:\ProgramData\Sophos\Sophos Anti-Virus\logs in a file called SAV.txt and both are listed.  The other issue is MCS (Management Communication System) which is broken.  I can remove Chrome and Paprika and still it won't clear in SC. I'm trying to find the thread I ran across regarding Sophos EAP and Windows 10 "Fall Creators" edition as others seem to be having issues. The are a couple of plugins in Chrome that may be flagged as "Command and Control" (C2), but those same plugins are running in Firefox as well and no issues there.  I may just remove Chrome altogether and whitelist the Paprika app and be done with it, or until Sophos development team figures this out.

Here is some of the output of the SAV.log file:

20171229 041759 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
20171229 041759 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
20171229 041803 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'.
20171229 041803 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'.
20171229 041804 File "C:\program files (x86)\paprika recipe manager\Paprika.exe" belongs to virus/spyware 'C2/Generic-C'.
20171229 041804 Virus/spyware 'C2/Generic-C' is not removable.

Is the problem with MCS evident in the MCS Client log as found under:

C:\ProgramData\Sophos\Management Communications System\Endpoint\Logs\

Also from this exclusions:

<filePath>D:\Users\Gio\SyncedFolder</filePath>

I assume that should have a trailing backslash so to exclude the directory SyncedFolder rather than a file called SyncedFolder?

For directory exclusions, they always need a trailing backslash.

Regards,

Jak

I'll take a look, but its a known issue in this article: 

https://community.sophos.com/kb/en-us/125463

Windows 10 "Fall Creators" edition and how it handles "WinHttpSendRequest" due to changes in the HTTP Response Codes.

That part I did via SC exclusion and you are correct, I forgot the "\".  

Thanks for the catch!

Gio

For me, performing a Nslookup for paprikaapp.com gives:

Name: paprikaapp.com
Address: 66.228.42.100

and checking with this service:

https://dnschecker.org/#A/paprikaapp.com

That seems to be the sole IP geographically.

This IP/domain doesn't appear to be a site that is flagged by Sophos Labs.

I assume you're computer resolves that same IP?

What IP is the application connecting to that is causing the alert?  Can you use Wireshark, Process Monitor (network), etc.. 

I tried installing the trial but that doesn't have the cloud sync option.

Regards,

Jak

That (https://community.sophos.com/kb/en-us/125463) doesn't prevent MCS working, it just prevents the Endpoint Self Help tool (ESH) from processing the MCS client log file correctly and hence flags there to be a problem with MCS when there isn't.

Jak,

I do have Wireshark and ProcMon loaded on my laptop.  I use whatsmydns.com and my laptop resolves to the same IP 66.228.42.100.

I can only think that Paprika.exe is connecting to a different IP/domain than paprikaapp.com/66.228.42.100 leading to the detection.

Both paprikaapp.com and 66.228.42.100 do not appear to be classified by Sophos Labs as a C2 site.

If you can reproduce the issue, maybe you can run Process Monitor with just the Networking capturing so see what the process connects to. Ideally restarting the Paprika.exe process to cover the initial connection.

Maybe even the built in Resource Monitor application (as launched from Task Manager Performance tab) would do, the Network view shows the addresses the processes are talking to in real-time but the connection may come and go too quickly to see there.  At least Process Monitor will keep the history.

Microsoft Message Analyzer is another application that also gives the process to network traffic mapping.

Regards,

Jak

I can also look a little deeper on our XG firewall as well.

What is interesting is after removing Chrome (C:\Program Files (x86)\Google\Chrome), it's still flagging an alert.  I can't get access to that folder to delete it. I'll have to disable "Tamper Protection" I think to delete it since its locked down.

Jax,

So even though I clear the Alert in SC, I can't clear the "Security Health" - "Running malware in quarantine or cleanup failure".  I was able to delete the Google\Chrome directory and their is nothing in the INFECTED directory.

Jax,

So even though I clear the Alert in SC, I can't clear the "Security Health" - "Running malware in quarantine or cleanup failure".  I was able to delete the Google\Chrome directory and their is nothing in the INFECTED directory.

Already followed this article and everything checks out.  I've already generated an SDU and opened a support ticket with Sophos.  They are taking their sweet time getting back to me on this which bothers me a bit on the support turnaround.