Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 3 subscribers
  • Views 10354 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 blocking Botnet traffic... but EP not finding anything...

DaveK67
I'm getting regular notifications that the firewall is blocking one of my systems from communicating with a known botnet site... but when I run an AV scan on that system it's coming up empty.  Any suggestions regarding 'step b'?  I'm trying other av and am products now to see if anyone else catches it - so far nothing is.  

UTM flags as 'C2/Generic-A' to destination 82.211.30.241 (IPTables).


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to pinkytwister
    I am seeing the same thing and have also researched on the QNAP forums.  Does not seem to be getting any traction on either side.  Could someone please update?

    Thanks


    So interestingly... I went through a series of increasing logging on the client, but was unable to isolate the process. I was able to capture the time of the event using Wireshark, but couldn't isolate the process. Finally I stumbled on a blog that talked about using SysMon to write connection activity to the event log: Sysinternals New Tool Sysmon (System Monitor) 

    I installed this tool and started logging every outgoing network connection... the odd thing is that since then I've not seen a single attempt to connect to that site. I was getting dozens of attempts a week but have not had one since.  

    In any case... the SysMon log SHOULD allow me to isolate the source of the connection once one happens.
  • 0 in reply to DaveK67

    In any case... the SysMon log SHOULD allow me to isolate the source of the connection once one happens.


    Very interested in your results! I ran Wireshark for a whole week split to small pcap files and had the same problem: nothing talked to the C&C. Self-aware? hope not.

    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

Unfiltered HTML