Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 4258 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A threat?

Andrew K

I am receiving a few C2/Generic-A threats under Advanced Threat Protection every few days. The threats are showing its originating from the same ip (but its not on our network) trying to go out to a bunch of nonsensical domains. According to this alert https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx its malware trying to communicate out to a command and control server. What I dont understand is how its reporting back an IP that is outside of our environments scope. 

Can anyone shed some more light on this particular threat warning type?



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Were you able to check which protocol was used to communicate? You would be able to see more in packetfilter logs to check how the attempt was made.

    These detection alerts can be seen on a Sophos UTM/XG Firewall when the Advanced Threat Protection module detects an outbound communication with a known C2(Command and Control) server. In some situations, Sophos Web Protection may also flag a C2/Generic-A on the endpoint if it detects a browser initiating traffic towards a high-risk URL. The communication will be blocked on the firewall and the offending IPs need to be isolated and investigated along the lines of an active malware infection. 

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    No I am not sure what protocol. Where are packet filtering logs on UTM9 i dont see anything in the logging section. 

    The host being reported is not within our network scope however, how is that possible?

  • 0 in reply to Andrew K

    At the command line, the firewall log is packetfilter.log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML