Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 26 replies
  • Subscribers 11 subscribers
  • Views 58996 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A and C2/Generic-C False Positive Issues

Gio Stefani

Having a specific endpoint that is reporting false positives for applications I know for a fact are not malware or viruses.  Already opened a support ticket with Sophos and sent the SDU. This particular endpoint is running Windows 10 Enterprise "Fall Creators" edition build 1709.  It continues to have communication (MCS) issues with Sophos Central.  Of course, our XG firewall is flagging it as a risk.  Unfortunately I can't go back to a prior Windows build (1703).  Was curious if others are having this issue?



This thread was automatically locked due to age.
  • in reply to Gio Stefani
    Gio, does your paprika app use http or https for coms? Http would be vulnerable to dns spoofing. Perhaps it got sent to a bad IP and downloaded the payload. Personally I wouldn’t ignore any files in endpoint. The Sophos docs are a bit vague about C2/generic, they say it’s not the traffic as such but the domain/IP, but then why have generic-A and generic-B. And these days what fool runs Command and control on a static IP/domain? If I wrote malware I’d cloud host it, and use those amazingly obscure domain names direct into Azure/AWS. Constantly changing so no domain or IP could be blacklisted. Svchost problems could well indicate rooting (in my case chrome in userspace compromised svchost, and from there it gets very vague). I’d reformat the workstations. What’s the line from Alien 2, “nuke the entire site from orbit. It's the only way to be sure”! If that’s too extreme, keep an eye on your root certs. If I were making this stuff, a bad root cert would be a great way to leverage workstation control.
  • in reply to MrMuishond
    community.sophos.com/.../125463 is a classic. You’re getting a security alert, so turn off tamper protection and, as administrator, bodge the endpoint address!
  • in reply to MrMuishond

    I know for a fact that they ARE false-positives.  I've run 3 different known good AV products that we use to resell and they all come up clean. You would think that the XG firewall would have flagged this (ROP) as well. This endpoint in question is my laptop which I've also monitored on the XG firewall and there are no sites (other than the ones I cruise) that are being flagged.  My bigger concern is this:  If it for some rare chance it is NOT a false-positive, my questions would be 1. What didn't Sophos Advanced Endpoint with Intercept-X catch it and 2. Why didn't the Sophos XG firewall catch it and more important 3. Why are we selling and supporting a product that doesn't work?

  • in reply to MrMuishond

    Already followed this article and everything checks out.  I've already generated an SDU and opened a support ticket with Sophos.  They are taking their sweet time getting back to me on this which bothers me a bit on the support turnaround.

  • in reply to Gio Stefani

    Better term for the word "catch it" would be clean or prevent it.  Whether the Paprika app redirected to a rogue website is irrelevant. Sophos Advanced Endpoint protection should have blocked it.

  • in reply to Gio Stefani
    Well obviously if you’re happy they’re false-pos that’s good enough for me. Although it’s worth noting a ROP might only render chrome malicious for a moment (just as an attack vector). The exe wouldn’t change so scanning with other AV wouldn’t find anything. It’s a behavioural thing not a recognised signature in the binary. In my case I assumed it was a glitch at the time, but a while later Root Cause Analysis drew some impressive diagrams showing how screwed I was! A drive-by attack probably delivered by an ad on a legit site, the sophistication was amazing. Of course there was nothing I could do about it. As for why sophos doesn’t catch it, I’m not sure that’s possible. Microsoft have a good YouTube video about malware return-on-investment. You can’t guarantee safety, just hope you’ve out-gunned your attacker. But if Kim Jong Un wants your credit card number, realistically his people can probably own your PC to get it lol. I’d focus on backups, local and cloud based. Also it would be interesting to look into thin clients and VM provisioning, so workstations with a particular config are built fresh every time you need them. With only your work files persisting. But UTM boxes etc? I’m coming to the conclusion they’re just a corporate comfort blanket.
Unfiltered HTML