Hello
some of our customers asked me about this so I think this will help others, too.
The issue:
ATP reports "C2/Generic-A" on local domain controller with DNS but a client scan doesn't find any threats
What is probably happening:
What is blocked here is not communication with a C&C server but the DNS lookup of the C&C server.
This means that your DC/DNS server is probably clean. There is likely a client that was looking up a known C&C server (for some reason that needs to be investigated).
What to do:
Usually you would perform the steps mentioned in this KBA.
What to do in case the UTM reports a ATP detection
https://www.sophos.com/en-us/support/knowledgebase/120725.aspx
I recommend to do that if you cannot solve the issue with the following steps:
1. Get the aptp as described in KBA 120725.
2. Verify that the source IPs belong to an internal DNS server.
3. Verify that the destination IPs belong to a public DNS server (http://mxtoolbox.com/DNSLookup.aspx) This shows it is a DNS request for the C&C server.
4. Find the causing client machine as described here:
Sophos UTM Advanced Threat Protection–Your Domain Controller is Botnet?
http://techbast.com/2015/02/sophos-utm-advanced-threat-protectionyour-domain-controller-is-botnet.html
If you have any feedback or additional information please post it here.
Thanks and have a great and cyber-secure day [:)]
STHN
This thread was automatically locked due to age.
