Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 26 replies
  • Subscribers 11 subscribers
  • Views 58998 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A and C2/Generic-C False Positive Issues

Gio Stefani

Having a specific endpoint that is reporting false positives for applications I know for a fact are not malware or viruses.  Already opened a support ticket with Sophos and sent the SDU. This particular endpoint is running Windows 10 Enterprise "Fall Creators" edition build 1709.  It continues to have communication (MCS) issues with Sophos Central.  Of course, our XG firewall is flagging it as a risk.  Unfortunately I can't go back to a prior Windows build (1703).  Was curious if others are having this issue?



This thread was automatically locked due to age.
Parents
  • Hi Gio, have you considered these are not false-positives? For advanced malware it’s not an issue of Chrome.exe being clean. Return orientated exploits in web responses can turn a good process into a bad one. I had some similar stuff last year and the Root Cause Analysis was ‘interesting’ to say the least. I think the term used by Endpoint is ROP (return oriented programming). I would do any probing of the domain/IP on a machine you plan to wipe after! Definitely not one you use for systems admin.
  • in reply to MrMuishond

    This is my concern. 

    I suppose it's possible it could well be the site/IP is genuine, gets compromised and used as a C2 server, classified by Sophos Labs as such, the site owner then realises, resolves the problem and it takes a while to be reclassified.  So a process communicating is flagged because the site it is connection to was once a C2 server.  It's important therefore to understand which domain/ip is the one that is causing the alert so you can contact Sophos and ask the current state.

    Regards,

    Jak

  • in reply to jak
    You’re more optimistic than me! I was using the workstation at time (online shopping in chrome, google safesearch on) when I got an scvhost.exe C2/genetic error. I was very curious why sandboxed chrome should cause an error in OS service, so reloaded the page maybe 5 times. One 1 of the 5 did I get the error again. It clearly wasn’t blacklisting from Sophos, or static malware on the site (or I’d be 5 for 5). it was malicious injection from somewhere. This is where I’m getting sceptical about security products like Central. Easy stuff is caught by Windows Defender. Advanced stuff often just cannot be identified until it’s too late. Just for interest, check your DNS logs. Lookups and responses can be used for Command and control, and who blocks DNS on their network?!
Reply
  • in reply to jak
    You’re more optimistic than me! I was using the workstation at time (online shopping in chrome, google safesearch on) when I got an scvhost.exe C2/genetic error. I was very curious why sandboxed chrome should cause an error in OS service, so reloaded the page maybe 5 times. One 1 of the 5 did I get the error again. It clearly wasn’t blacklisting from Sophos, or static malware on the site (or I’d be 5 for 5). it was malicious injection from somewhere. This is where I’m getting sceptical about security products like Central. Easy stuff is caught by Windows Defender. Advanced stuff often just cannot be identified until it’s too late. Just for interest, check your DNS logs. Lookups and responses can be used for Command and control, and who blocks DNS on their network?!
Children
No Data
Unfiltered HTML