Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 1393 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP dropping several C2/Generic threats for two of my devices

shred

I haven’t changed any settings on my Sophia XG but today I started receiving multiple threat alerts from ATP for the following:

2020-11-22 20:26:14Advanced threat protectionmessageid="18010" log_type="ATP" log_component="Firewall" log_subtype="Drop" user="" protocol="TCP" src_port="49348" dst_port="80" src_ip="172.16.16.47" dst_ip="31.171.154.67" url="31.171.154.67" threat="C2/Generic-A" event_id="7825B787-F721-400B-BEBD-40BEA61EFDC9" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""

It’s occurring for two devices on my network, my Apple iPad and Dell XPS laptop (Ubuntu). Tried looking up the destination IP but nothing comes up. I’ll get about 20-30 alerts in rapid succession then it stops. I wasn’t doing anything particular on either my Dell XPS or iPad.

Anyone have any idea what might be causing this?



This thread was automatically locked due to age.
Parents
  • +1

    Hi  : The destination IP is classified as in Malware/Malicious and due to that ATP is triggering alert and drop on same.

    https://www.virustotal.com/gui/url/bebbcfb5ef3c3ecfdc69fc11aa69c5066e76a5071a5f991f9b4ebf3d3f6a03af/detection

    On your Ubuntu Laptop, you may start TCPDUMP on this destination and once any packets getting observed you may dig further with netstat command or other Linux system relevant command to see or to confirm which app on system or socket or browser plugin or any script or anything knowingly or unknowingly is generating traffic on this destination server.

  • 0 in reply to Vishal_R

    Thanks for the info. It only seemed to happen the past two previous days but nothing today. If I'm understanding that website you linked to correctly, only 5/82 scanning engines consider that IP as Malware/Malicious/Suspicious and the rest of them consider it Clean. I'm assuming that this is likely a false positive then?

    I'd just find it hard to believe either my iPad or Dell XPS laptop has malware, considering the Dell XPS laptop was just setup about a week ago with Ubuntu and it's hardly been used (almost no web browsing and only some package installs using the official Ubuntu package manager).

    Regardless, I'd still like to figure out what it is at some point if it starts happening again.

Reply
  • 0 in reply to Vishal_R

    Thanks for the info. It only seemed to happen the past two previous days but nothing today. If I'm understanding that website you linked to correctly, only 5/82 scanning engines consider that IP as Malware/Malicious/Suspicious and the rest of them consider it Clean. I'm assuming that this is likely a false positive then?

    I'd just find it hard to believe either my iPad or Dell XPS laptop has malware, considering the Dell XPS laptop was just setup about a week ago with Ubuntu and it's hardly been used (almost no web browsing and only some package installs using the official Ubuntu package manager).

    Regardless, I'd still like to figure out what it is at some point if it starts happening again.

Children
No Data