Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 26 replies
  • Subscribers 11 subscribers
  • Views 58985 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A and C2/Generic-C False Positive Issues

Gio Stefani

Having a specific endpoint that is reporting false positives for applications I know for a fact are not malware or viruses.  Already opened a support ticket with Sophos and sent the SDU. This particular endpoint is running Windows 10 Enterprise "Fall Creators" edition build 1709.  It continues to have communication (MCS) issues with Sophos Central.  Of course, our XG firewall is flagging it as a risk.  Unfortunately I can't go back to a prior Windows build (1703).  Was curious if others are having this issue?



This thread was automatically locked due to age.
  • in reply to jak

    For me, performing a Nslookup for paprikaapp.com gives:

    Name: paprikaapp.com
    Address: 66.228.42.100

    and checking with this service:

    https://dnschecker.org/#A/paprikaapp.com

    That seems to be the sole IP geographically.

    This IP/domain doesn't appear to be a site that is flagged by Sophos Labs.

    I assume you're computer resolves that same IP?

    What IP is the application connecting to that is causing the alert?  Can you use Wireshark, Process Monitor (network), etc.. 

    I tried installing the trial but that doesn't have the cloud sync option.

    Regards,

    Jak

  • in reply to Gio Stefani

    That (https://community.sophos.com/kb/en-us/125463) doesn't prevent MCS working, it just prevents the Endpoint Self Help tool (ESH) from processing the MCS client log file correctly and hence flags there to be a problem with MCS when there isn't.

  • in reply to jak

    Jak,

    I do have Wireshark and ProcMon loaded on my laptop.  I use whatsmydns.com and my laptop resolves to the same IP 66.228.42.100.

  • in reply to Gio Stefani

    I can only think that Paprika.exe is connecting to a different IP/domain than paprikaapp.com/66.228.42.100 leading to the detection.

    Both paprikaapp.com and 66.228.42.100 do not appear to be classified by Sophos Labs as a C2 site.

    If you can reproduce the issue, maybe you can run Process Monitor with just the Networking capturing so see what the process connects to. Ideally restarting the Paprika.exe process to cover the initial connection.

    Maybe even the built in Resource Monitor application (as launched from Task Manager Performance tab) would do, the Network view shows the addresses the processes are talking to in real-time but the connection may come and go too quickly to see there.  At least Process Monitor will keep the history.

    Microsoft Message Analyzer is another application that also gives the process to network traffic mapping.

    Regards,

    Jak

  • in reply to jak

    I can also look a little deeper on our XG firewall as well.

  • in reply to jak

    What is interesting is after removing Chrome (C:\Program Files (x86)\Google\Chrome), it's still flagging an alert.  I can't get access to that folder to delete it. I'll have to disable "Tamper Protection" I think to delete it since its locked down.

  • in reply to jak

    Jax,

     

    So even though I clear the Alert in SC, I can't clear the "Security Health" - "Running malware in quarantine or cleanup failure".  I was able to delete the Google\Chrome directory and their is nothing in the INFECTED directory.

     

  • Hi Gio, have you considered these are not false-positives? For advanced malware it’s not an issue of Chrome.exe being clean. Return orientated exploits in web responses can turn a good process into a bad one. I had some similar stuff last year and the Root Cause Analysis was ‘interesting’ to say the least. I think the term used by Endpoint is ROP (return oriented programming). I would do any probing of the domain/IP on a machine you plan to wipe after! Definitely not one you use for systems admin.
  • in reply to MrMuishond

    This is my concern. 

    I suppose it's possible it could well be the site/IP is genuine, gets compromised and used as a C2 server, classified by Sophos Labs as such, the site owner then realises, resolves the problem and it takes a while to be reclassified.  So a process communicating is flagged because the site it is connection to was once a C2 server.  It's important therefore to understand which domain/ip is the one that is causing the alert so you can contact Sophos and ask the current state.

    Regards,

    Jak

  • in reply to jak
    You’re more optimistic than me! I was using the workstation at time (online shopping in chrome, google safesearch on) when I got an scvhost.exe C2/genetic error. I was very curious why sandboxed chrome should cause an error in OS service, so reloaded the page maybe 5 times. One 1 of the 5 did I get the error again. It clearly wasn’t blacklisting from Sophos, or static malware on the site (or I’d be 5 for 5). it was malicious injection from somewhere. This is where I’m getting sceptical about security products like Central. Easy stuff is caught by Windows Defender. Advanced stuff often just cannot be identified until it’s too late. Just for interest, check your DNS logs. Lookups and responses can be used for Command and control, and who blocks DNS on their network?!
Unfiltered HTML