Anyone else getting APT alerts en-mass for ocsp.comodoca.com?

Same here, first one at 9:16am today.

Advanced Threat Protection

 A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

 Details about the alert:

 Threat name....: C2/Generic-A

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

Time...........: 2017-02-21 09:16:35

Traffic blocked: yes

Firmware: 9.408-4

Hi All,

Sophos released an ATP Pattern update 14:50 GMT which cause ocsp.comodoca.com to be flagged as various forms of Malware. This occurred in Pattern Update #118540 and has been resolve in Pattern Update #118541 which was released at 15:20 GMT.

If your patterns aren’t updating, please manually update them by going to Management > Up2Date then go to the Configuration tab and change the Update Interval for patterns to Manual. Then return to the previous tab and press Up2Date for Patterns and return to configuration and switch it back to Automatic every 15 minutes.

If you are on 118541 already, you shouldn’t have any problems.

Emile

Emile, It's still happening and we are on 118544 !

We are on 118544 and getting spammed by these alerts as well.

We still have this issues with pattern version 118544!

It occurs using this URL:

http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D

Using other URLs from the http.log, they work:

http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQDJaK2b5laBVGeVX1IssoaH

Seems that there is some kind of trojan in the string MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D

The UTM says:

You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.

We have scanned all the "infected" computers and nothing was found. Maybe we have to set an exception for that false positives.

Same here!  Also on 118544.

Hi Emile,

We are on pastern update 118544

But we are still seeing these alerts!!!

Just seen more emails from others, will follow up!

Could you check to see if these emails aren't spooled from earlier in the Mail Protection Log?

Emile

We're still seeing alerts on 118544 from one site as well, but they certainly seem to have slowed down in frequency.

We are at 118544 and our last alert was at:  ocsp.comodoca.com C2/Generic-A Proxy 2017-02-21 10:58:32 in Eastern Time US.

Perhaps it's fixed?

michael.preis said:

We still have this issues with pattern version 118544!

It occurs using this URL:

http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D

Using other URLs from the http.log, they work:

http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQDJaK2b5laBVGeVX1IssoaH

Seems that there is some kind of trojan in the string MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D

The UTM says:

The content is blocked due to the following condition:

You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.

We have scanned all the "infected" computers and nothing was found. Maybe we have to set an exception for that false positives.

 

michael.preis said:

We still have this issues with pattern version 118544!

It occurs using this URL:

http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D

Using other URLs from the http.log, they work:

http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQDJaK2b5laBVGeVX1IssoaH

Seems that there is some kind of trojan in the string MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D

The UTM says:

The content is blocked due to the following condition:

You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.

We have scanned all the "infected" computers and nothing was found. Maybe we have to set an exception for that false positives.

 

I wouldn't advise that, you might be blocking legitimate OCSP lookups which will cause Certificate Trust Check issues.

Emile