Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 8423 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat Protection C2/Generic-A

MikeRM275

Hello,

    I am wondering if I am seeing false positives or not?  Every machine in my network hit on an IP address today according to ATP.  the IP address is 205.185.216.10.  Some show as IpTables and others as AFCd.  I checked the Advanced Threat Protection log and I do see the entries since 16:32.  I also checked the Web Filtering Log and I see multiple entries there with that as the destinationIP.  This is seeing the Windows Update application in there.  Though when I do an IP lookup on it, it shows for Highwinds Network group.  I have sent an email to abuse@hwng.net, and am preparing to send an email to Microsoft as it might be possible that Windows Update has been hijacked.

Just not sure if these are legitimate or not.  Plus maybe someone else was seeing the same thing.

 

Thank You.



This thread was automatically locked due to age.
Parents
  • +2

    Hello MikeRM275,

    Thank you for contacting the community.

    Just to confirm this was a False Positive and labs have fixed the issue already.

    This is the official KB with the information about this.

    ===

    False Positive detection for Threat ID: 811385046 that produced C2/Generic detections

    https://community.sophos.com/kb/en-us/135509

    ===

    At this point there is no action required, except to check that Pattern Download/Installation Interval is at least enable to check every 15 minutes. (Management >> Up2date >> Configuration.

    You can also confirm the pattern is up2date by running the command below, and make sure you have the latest APTP installed which is 9-35-908.

    utm1:/var/log # rpm -qa | grep u2d
    u2d-aws-9-291
    u2d-savi-9-15559
    u2d-avira4-9-7794
    u2d-ipsexception-9-6
    u2d-clvbrowser-9-44
    u2d-geoipxtipv6-9-109
    u2d-geoip-7-168
    u2d-man9-9-1027
    u2d-ipsbundle2-9-311
    u2d-aptp-9-35908
    u2d-owaspcrs-9-18
    ep-u2d-download-9.30-0.190218485.ga937bb2
    u2d-cadata-9-110
    u2d-appctrl43-9-62
    u2d-ohelp9-9-1071

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • +2

    Hello MikeRM275,

    Thank you for contacting the community.

    Just to confirm this was a False Positive and labs have fixed the issue already.

    This is the official KB with the information about this.

    ===

    False Positive detection for Threat ID: 811385046 that produced C2/Generic detections

    https://community.sophos.com/kb/en-us/135509

    ===

    At this point there is no action required, except to check that Pattern Download/Installation Interval is at least enable to check every 15 minutes. (Management >> Up2date >> Configuration.

    You can also confirm the pattern is up2date by running the command below, and make sure you have the latest APTP installed which is 9-35-908.

    utm1:/var/log # rpm -qa | grep u2d
    u2d-aws-9-291
    u2d-savi-9-15559
    u2d-avira4-9-7794
    u2d-ipsexception-9-6
    u2d-clvbrowser-9-44
    u2d-geoipxtipv6-9-109
    u2d-geoip-7-168
    u2d-man9-9-1027
    u2d-ipsbundle2-9-311
    u2d-aptp-9-35908
    u2d-owaspcrs-9-18
    ep-u2d-download-9.30-0.190218485.ga937bb2
    u2d-cadata-9-110
    u2d-appctrl43-9-62
    u2d-ohelp9-9-1071

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?