Advanced Threat Protection C2/Generic-A

Question

Hello, 
 I am wondering if I am seeing false positives or not? Every machine in my network hit on an IP address today according to ATP. the IP address is 205.185.216.10. Some show as IpTables and others as AFCd. I checked the Advanced Threat Protection log and I do see the entries since 16:32. I also checked the Web Filtering Log and I see multiple entries there with that as the destinationIP. This is seeing the Windows Update application in there. Though when I do an IP lookup on it, it shows for Highwinds Network group. I have sent an email to abuse@hwng.net, and am preparing to send an email to Microsoft as it might be possible that Windows Update has been hijacked. 
 Just not sure if these are legitimate or not. Plus maybe someone else was seeing the same thing. 
 
 Thank You.

emmosophos · Accepted Answer

Hello MikeRM275, 
 Thank you for contacting the community. 
 Just to confirm this was a False Positive and labs have fixed the issue already. 
 This is the official KB with the information about this. 
 === 
 False Positive detection for Threat ID: 811385046 that produced C2/Generic detections 
 https://community.sophos.com/kb/en-us/135509 
 === 
 At this point there is no action required, except to check that Pattern Download/Installation Interval is at least enable to check every 15 minutes. (Management >> Up2date >> Configuration. 
 You can also confirm the pattern is up2date by running the command below, and make sure you have the latest APTP installed which is 9-35-908. 
 utm1:/var/log # rpm -qa | grep u2d u2d-aws-9-291 u2d-savi-9-15559 u2d-avira4-9-7794 u2d-ipsexception-9-6 u2d-clvbrowser-9-44 u2d-geoipxtipv6-9-109 u2d-geoip-7-168 u2d-man9-9-1027 u2d-ipsbundle2-9-311 u2d-aptp-9-35908 u2d-owaspcrs-9-18 ep-u2d-download-9.30-0.190218485.ga937bb2 u2d-cadata-9-110 u2d-appctrl43-9-62 u2d-ohelp9-9-1071

MikeRM275 · Answer

Thank you for the response.