Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 26 replies
  • Subscribers 11 subscribers
  • Views 58984 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A and C2/Generic-C False Positive Issues

Gio Stefani

Having a specific endpoint that is reporting false positives for applications I know for a fact are not malware or viruses.  Already opened a support ticket with Sophos and sent the SDU. This particular endpoint is running Windows 10 Enterprise "Fall Creators" edition build 1709.  It continues to have communication (MCS) issues with Sophos Central.  Of course, our XG firewall is flagging it as a risk.  Unfortunately I can't go back to a prior Windows build (1703).  Was curious if others are having this issue?



This thread was automatically locked due to age.
Parents
  • Hi Gio, have you considered these are not false-positives? For advanced malware it’s not an issue of Chrome.exe being clean. Return orientated exploits in web responses can turn a good process into a bad one. I had some similar stuff last year and the Root Cause Analysis was ‘interesting’ to say the least. I think the term used by Endpoint is ROP (return oriented programming). I would do any probing of the domain/IP on a machine you plan to wipe after! Definitely not one you use for systems admin.
  • in reply to MrMuishond

    I know for a fact that they ARE false-positives.  I've run 3 different known good AV products that we use to resell and they all come up clean. You would think that the XG firewall would have flagged this (ROP) as well. This endpoint in question is my laptop which I've also monitored on the XG firewall and there are no sites (other than the ones I cruise) that are being flagged.  My bigger concern is this:  If it for some rare chance it is NOT a false-positive, my questions would be 1. What didn't Sophos Advanced Endpoint with Intercept-X catch it and 2. Why didn't the Sophos XG firewall catch it and more important 3. Why are we selling and supporting a product that doesn't work?

  • in reply to Gio Stefani

    Better term for the word "catch it" would be clean or prevent it.  Whether the Paprika app redirected to a rogue website is irrelevant. Sophos Advanced Endpoint protection should have blocked it.

Reply Children
No Data
Unfiltered HTML