Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 6 subscribers
  • Views 3758 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Domain Controllers are doing DNS lookups which are showing as ATP Threat alerts and blocking C&C traffic and reporting 'C2/Generic-A'

Steven Marshall

I am getting regular DNS lookups to '82.81.53.202-in-addr.arpa-nettlinx.com' on my local Domain Controllers which the ATP is blocking as a C&C . Has anyone else come across this before?



This thread was automatically locked due to age.
  • 0

    Yeah, see it now and then.

    The ATP actually just matches traffic to well known abuse sources ( including dns lookups / rRNS ) and flags these.

     

    Since the source is your DC, it >should< be safe to ignore this as a false positive for botnet infection.

    The real question here is really, who is querying your DC's and is the request from the outside ( reply to well known abuse host ) - then it might be an attempt to poison your DNS.

     

    If you are absolutely sure everything is ok, then you can except for DC in the ATP from warnings.

     

  • +1

    find out which endpoint is actually requesting this by dropping logging onto the DNS on the DC's, usally a sign of PUP's on the end system

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML