Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 5 subscribers
  • Views 4270 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I keep getting C2/Zbot-A false-positives

Mateusz Bender

Advanced Protection of our UTM keeps flagging various internal machines with the C2/Zbot-A. These machines vary in OS (some are Windows 10 clients, some are Windows Servers from different years), but all are updated with the latest Defender definitions. I've even ran the Sophos AV on one machine to make sure it's clean, and found nothing.

The hosts are always internal IPs, while the destinations are either the UTMs internal host name or a public router seemingly owned by our ISP (ip-185-68-25-49.tempus.net.pl).

Is our ISP infected? Are WE infected and those aren't really false-positives? Or is UTM a bit too sensitive and flagging false positives all the time? I write "all the time" because the problem has been ongoing, and tends to happen a number of times each week. I've already tried creating a question about this before on these forums, but unfortunately haven't gotten a clear answer, so I've figured I'd try again (apologies if this is considered rude, but quite some time has passed).



This thread was automatically locked due to age.
  • 0 in reply to BAlfson

    For the time being I've reconfigured our internal DNS servers to be just that - internal DNS servers (no forwarders, no root hints) and I've blocked external DNS requests in the whole network. This should cause all outgoing DNS traffic to go via the UTM itself.

    I did this to get a clearer picture of which machines are acting up. However, since making the change, I haven't had a single hit... I'll check the disk as soon as I get new reports.

  • 0 in reply to Mateusz Bender

    how do you split internal and external DNS-requests at the PC?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Previously:

    a) DHCP (non-UTM) would provide a long list of possible DNS servers, including our own internal DNS servers for backup
    b) UTM would permit DNS queries to external servers to comply with a)
    c) UTM has conditional forwarding for internal domain DNS requests

    Now:

    a) DHCP no longer provides clients with external DNS IPs, nor internal DNS IPs (only the UTM IP is provided for DNS)
    b) internal DNS servers have recursion and root hints disabled
    c) UTM no longer permits external DNS requests; it's no longer possible to manually set up ex. 1.1.1.1 as the DNS or use NSLOOKUP with external servers
    d) conditional forwarding still applies for internal domains

  • 0 in reply to BAlfson

    So I finally got a new hit in the UTM for this.

    The IPS logs are as follows:

    2019:04:02-13:21:02 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt" group="110" srcip="193.188.22.56" dstip="10.150.1.36" proto="6" srcport="1849" dstport="443" sid="49040" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0" 
    2019:04:02-13:25:00 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.4.104" dstip="10.150.1.34" proto="17" srcport="54103" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0" 
    2019:04:02-13:25:09 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.4.104" dstip="10.150.1.34" proto="17" srcport="58112" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

    (I don't think the first line is relevant, but keeping it in here as these were all the IPS logs for the day.)

    I've proceeded to check the 4.104 laptop with the suggested Kaspersky Recovery Disk and left it running overnight. Unfortunately it found nothing and so this morning I'm still left scratching my head... :(

    Once more, I CAN "nuke it from orbit" and reinstall the OS on this machine, but this is time consuming and disruptive to the users work (mine too, for that matter), and I would prefer confirmation if there's an actual issue here. Anything else I could try?

  • 0 in reply to Mateusz Bender

    If Kaspersky found nothing, I'd say you were right the first time, Mateusz - false positive!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML