Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 26 replies
  • Subscribers 11 subscribers
  • Views 58981 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A and C2/Generic-C False Positive Issues

Gio Stefani

Having a specific endpoint that is reporting false positives for applications I know for a fact are not malware or viruses.  Already opened a support ticket with Sophos and sent the SDU. This particular endpoint is running Windows 10 Enterprise "Fall Creators" edition build 1709.  It continues to have communication (MCS) issues with Sophos Central.  Of course, our XG firewall is flagging it as a risk.  Unfortunately I can't go back to a prior Windows build (1703).  Was curious if others are having this issue?



This thread was automatically locked due to age.
Parents
  • Hi Gio, have you considered these are not false-positives? For advanced malware it’s not an issue of Chrome.exe being clean. Return orientated exploits in web responses can turn a good process into a bad one. I had some similar stuff last year and the Root Cause Analysis was ‘interesting’ to say the least. I think the term used by Endpoint is ROP (return oriented programming). I would do any probing of the domain/IP on a machine you plan to wipe after! Definitely not one you use for systems admin.
  • in reply to MrMuishond

    I know for a fact that they ARE false-positives.  I've run 3 different known good AV products that we use to resell and they all come up clean. You would think that the XG firewall would have flagged this (ROP) as well. This endpoint in question is my laptop which I've also monitored on the XG firewall and there are no sites (other than the ones I cruise) that are being flagged.  My bigger concern is this:  If it for some rare chance it is NOT a false-positive, my questions would be 1. What didn't Sophos Advanced Endpoint with Intercept-X catch it and 2. Why didn't the Sophos XG firewall catch it and more important 3. Why are we selling and supporting a product that doesn't work?

  • in reply to Gio Stefani

    Better term for the word "catch it" would be clean or prevent it.  Whether the Paprika app redirected to a rogue website is irrelevant. Sophos Advanced Endpoint protection should have blocked it.

  • in reply to Gio Stefani
    Well obviously if you’re happy they’re false-pos that’s good enough for me. Although it’s worth noting a ROP might only render chrome malicious for a moment (just as an attack vector). The exe wouldn’t change so scanning with other AV wouldn’t find anything. It’s a behavioural thing not a recognised signature in the binary. In my case I assumed it was a glitch at the time, but a while later Root Cause Analysis drew some impressive diagrams showing how screwed I was! A drive-by attack probably delivered by an ad on a legit site, the sophistication was amazing. Of course there was nothing I could do about it. As for why sophos doesn’t catch it, I’m not sure that’s possible. Microsoft have a good YouTube video about malware return-on-investment. You can’t guarantee safety, just hope you’ve out-gunned your attacker. But if Kim Jong Un wants your credit card number, realistically his people can probably own your PC to get it lol. I’d focus on backups, local and cloud based. Also it would be interesting to look into thin clients and VM provisioning, so workstations with a particular config are built fresh every time you need them. With only your work files persisting. But UTM boxes etc? I’m coming to the conclusion they’re just a corporate comfort blanket.
Reply
  • in reply to Gio Stefani
    Well obviously if you’re happy they’re false-pos that’s good enough for me. Although it’s worth noting a ROP might only render chrome malicious for a moment (just as an attack vector). The exe wouldn’t change so scanning with other AV wouldn’t find anything. It’s a behavioural thing not a recognised signature in the binary. In my case I assumed it was a glitch at the time, but a while later Root Cause Analysis drew some impressive diagrams showing how screwed I was! A drive-by attack probably delivered by an ad on a legit site, the sophistication was amazing. Of course there was nothing I could do about it. As for why sophos doesn’t catch it, I’m not sure that’s possible. Microsoft have a good YouTube video about malware return-on-investment. You can’t guarantee safety, just hope you’ve out-gunned your attacker. But if Kim Jong Un wants your credit card number, realistically his people can probably own your PC to get it lol. I’d focus on backups, local and cloud based. Also it would be interesting to look into thin clients and VM provisioning, so workstations with a particular config are built fresh every time you need them. With only your work files persisting. But UTM boxes etc? I’m coming to the conclusion they’re just a corporate comfort blanket.
Children
No Data
Unfiltered HTML