[9.192-8] False positives on C2/Generic-A?

hi,

I started using endpoint protection/advanced thread protetion during this beta, so I'm posting it here.

On a regular basis I get the following mail alert from UTM

-------------------------------
Details about the alert:

Threat name....: C2/Generic-A
Details........: C2/Generic-A - Viruses and Spyware - Web Threat, Virus and Spyware Detection and Removal | Sophos - Threat Center - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Next-Gen Firewall Solutio
Time...........: 2014-01-27 14:46:15
Traffic blocked: yes

Internal source IP address or host: 192.168.1.10
-------------------------------

The dashboard reports this:

User/Host Threat Name Destination Events Origin
1 192.168.1.10 C2/Generic-A 4pda.ru 2 DNS

I did a full scan of the mentioned machine and all other machines using Sophos Virus Removal Tool, but no issues are found. On the machine itself the endpoint protection isn't installed (it's a domain controller and hyper-v server).

Franc.

Parents

0 Michael Dunn over 10 years ago

Here is what I got from out Labs team.

There are applications out there that we call PUA - Potentially Unwanted Applications. These include things like toolbars that collect browsing history and report back to central servers in order to give you targeted advertising. They are technically not malware as they are usually installed intentionally by users. Because they report back periodically to central servers they sometimes get detected as malware command-and-control servers. The lines between PUA and malware can blurry and we share information to and from other security vendors, not all of which have the exact same standards.

These two websites are associated with such applications. In other words, there are applications on that computer that periodically contact those two domain names to send information from your computer to those site. Based only on domain name "shopperfriendapp.info" suggests this might be advertising data collection, while "mygpuid.com" might be reporting back hardware information.

Both of these domains have not been removed from the ATP database.

I would be curious to know the results of:
Go to Endpoint Protection, Antivirus
Edit (or create) a policy that turns on the Scan for PUA.
Associate your computer with that antivirus policy, wait a few min for the update.
Then use Endpoint to do a full scan again.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Michael Dunn over 10 years ago

Here is what I got from out Labs team.

There are applications out there that we call PUA - Potentially Unwanted Applications. These include things like toolbars that collect browsing history and report back to central servers in order to give you targeted advertising. They are technically not malware as they are usually installed intentionally by users. Because they report back periodically to central servers they sometimes get detected as malware command-and-control servers. The lines between PUA and malware can blurry and we share information to and from other security vendors, not all of which have the exact same standards.

These two websites are associated with such applications. In other words, there are applications on that computer that periodically contact those two domain names to send information from your computer to those site. Based only on domain name "shopperfriendapp.info" suggests this might be advertising data collection, while "mygpuid.com" might be reporting back hardware information.

Both of these domains have not been removed from the ATP database.

I would be curious to know the results of:
Go to Endpoint Protection, Antivirus
Edit (or create) a policy that turns on the Scan for PUA.
Associate your computer with that antivirus policy, wait a few min for the update.
Then use Endpoint to do a full scan again.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data