I wanted to put this out there to you guys and see if anyone else had a round of Sophos false positive C2/Generic-A alerts yesterday or the last couple of days with Sophos Advanced Threat Protection identifying aย C2/Generic-A threat. ย The exact message I was seeing on some UTM devices was the following:
Advanced Threat Protection
A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name….: C2/Generic-A
Details……..: https://www.sophos.com/en-us/
Time………..: 2015-04-30 16:27:26
Traffic blocked: yes
Source IP address or host: 192.168.1.20
When pulling up the web filter log, the activity that I saw which it blocked came from a device that was hitting Google’s public DNS server address at 8.8.8.8. ย I found a thread here on the Astaroย forum from other users who were seeing some issues:ย https://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/57171-advanced-threat-protection-google-dns-8-8-8-8-false-positive-3.html
It seems that for me the ATP alerted for around 2 hours yesterday afternoon and then stopped for three devices on my network all of which were hitting the 8.8.8.8 DNS address. ย Then, the alerts and network traffic was no longer flagged.
After being directed to the free download utility from Sophos here: ย https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx ย and running the scan utility, the computer was found to be clean.
Let me know if you guys were seeing this across the board too. ย All in all, I love the Sophos UTM product and would always rather be safe than sorry when it comes to security and malware, but it looks like Sophos may have been crying wolf yesterday due to a signature update possibly.
Hi
I have the same Alert on UTM9 SG230. Funny fact: The two detected hosts are the Domaincontrollers in that network. I’ve scanned both with several tools and found nothing. Nice to know, I’m not alone.
Kind regards
Sam
Same here, it looks DNS related. If I had to take a swing, its a DNS server its job to reach out to multiple places to the internet, it’s called resolving. There is no bad intend in it, its purely the core of a DNS server. so yes, for the DNS Server its a false positve.
Now… What client requested the actual dns resolvement of a malicious site? This seems to be the core of the problem, also with me. A client is certainly to blame.