Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 8428 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection C2/Generic-A

MikeRM275

Hello,

    I am wondering if I am seeing false positives or not?  Every machine in my network hit on an IP address today according to ATP.  the IP address is 205.185.216.10.  Some show as IpTables and others as AFCd.  I checked the Advanced Threat Protection log and I do see the entries since 16:32.  I also checked the Web Filtering Log and I see multiple entries there with that as the destinationIP.  This is seeing the Windows Update application in there.  Though when I do an IP lookup on it, it shows for Highwinds Network group.  I have sent an email to abuse@hwng.net, and am preparing to send an email to Microsoft as it might be possible that Windows Update has been hijacked.

Just not sure if these are legitimate or not.  Plus maybe someone else was seeing the same thing.

 

Thank You.



This thread was automatically locked due to age.
Parents
  • 0

    The offending IP is being used by www.download.windowsupdate.com

     

    It looks to be an issue with microsoft, i turned on dns logging and the same ip that popped into the ATP log of having a dropped packet due to the ATP alert also had a dns entry trying to send a udp packet to windowsupdate. If you try to go to that link above, it first redirects to a non secured page www.update.microsoft.com/.../default.aspx then onto a secure page with a different url support.microsoft.com/.../windows-update-faq. And the non secured page when trying to browse to it via https has a broken cert  due to a weak signature algorithm. So it looks to be an issue on MS end and with their cert. 

  • 0 in reply to itguy1234

    That is what I thought and I am in contact with Microsoft right now, I put a scare in telling them that Windows Update may have been hijacked.  They are currently still on the line with me but say they are looking into the reason.

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?