This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to solve C2/Generic-B

Hi, one of my user PC have C2/Generic-B issue as show in below alert message. I had raise the support ticket but the support personnel only send me the below URL and ask me to check on this article for how to handle it, which I already search google and found this link previously. I do wonder what he need from my side, because I can't do anything from my side except format whole PC and reinstall windows (funny right?).

I do have doubt on should I send the SDU and autorun log through email, because now the support personnel haven't reply me yet through email, and it take one month for them to reply email for the last case I deal with support personnel through email, while no one pickup my call when I call to local sophos support phone number.

I just feel very tired for the official support...Anyone know how to solve this issue?

Alert message:

Malicious traffic detected: 'C2/Generic-B' at 'C:\Windows\System32\svchost.exe' (Technical Support reference: 259007464)

https://community.sophos.com/kb/en-us/121544#Central

This thread was automatically locked due to age.

Parents

0 Yashraj S over 5 years ago

Hi Robert Low

Please accept our sincere apologies for the delays and inconveniences you are facing. From the alert message you have posted, I have managed to find out the URL the endpoint is suspecting to be a command and control server URL. I will PM you the exact URL. I would really like to look into your case and see what went wrong and make sure you are provided with a proper resolution and hence I request you to PM me the case number.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Robert Low over 5 years ago in reply to Yashraj S

Done PM.
Cancel
Vote Up 0 Vote Down

Cancel
0 Yashraj S over 5 years ago in reply to Robert Low

Hi Robert Low

I can see that the case has been resolved. I hope you were provided satisfactory resolution on this case. Please do reach out to us if you have any further queries in this regards.

Thanks,

Yashraj Singha
Manager | Global Community Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel
0 Idris Sanni over 4 years ago in reply to Yashraj S

Hello, I have similar issue and want to know how to go about it.

Alert:

Malicious traffic detection locally cleared: 'C2/Generic-B' at 'C:\Windows\System32\mshta.exe'
Cancel
Vote Up 0 Vote Down

Cancel
0 Badrobot over 4 years ago in reply to Idris Sanni

As shown above, follow these instructions: https://community.sophos.com/kb/en-us/121544#Central

This will show you how to find the url the site is accessing, the program that is accessing it. Once you have the info you should be able to clean it up and or prevent the access as well. (Depends on what the program is/url) There is also a chance it is a false positive, but the info will help alot.

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
0 Badrobot over 4 years ago in reply to Idris Sanni

Just another thought but you could download and load procmon and tcpview or netmon from microsoft, procmon will let you monitor what the mshta.exe is doing similar to a threat analysis in sophos, just in real time. You can filter it to only show those aspects. TCPview or netmon can help find the specific traffic related to a specific application such as mshta.exe which might help determine what this is doing.

I did a quick search and it seems to be related to HTML or HTA files (just in case you are doing something like this).

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Badrobot over 4 years ago in reply to Idris Sanni

Just another thought but you could download and load procmon and tcpview or netmon from microsoft, procmon will let you monitor what the mshta.exe is doing similar to a threat analysis in sophos, just in real time. You can filter it to only show those aspects. TCPview or netmon can help find the specific traffic related to a specific application such as mshta.exe which might help determine what this is doing.

I did a quick search and it seems to be related to HTML or HTA files (just in case you are doing something like this).

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data