as I'm receiving the message "Malicious connection detected: 'C2/Generic-B' at 'C:\program files (x86)\mozilla thunderbird\thunderbird.exe' (Technical Support reference: 1409585957)" in alerts and I want to ask for help, I launched a diagnose (SDU) from Sophos Central. After it 's finished I want to submit the zip file, but I'm not sure how or where I can enter this in the FileSubmission page. Or do I need to proceed differently?
if you launched the SDU from Central - it will automatically upload to us. You will see the SDU name in the device details. You can then contact support and open a case and provide them that name and they can download the sdu. The SDU is only stored for a couple of weeks on that system - so don't delay.
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
On the device page in Sophos Central it will have a file name once complete: E.g.
You can provide that to support and they can find the file.
The generated SDU, will be in C:\windows\temp\ for example: C:\Windows\Temp\sdu-4604\ where the number after the "sdu-" is the process id of mcsagent.exe. The process that kicked off the tool when it received the message from Central.
It looks like you're mail client probably downloaded an email with a resource hosted on a site classified by Sophos as a command and control server. This would have triggered it. If you look in:C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log
You will see the data.
The only action for these is for Sophos to block the request.
Thank you RichardP, to open a case, can I do this through Sophos Central (Help-Create Support ticket)?
Thank you Sophos User930. I see in Sophos Central that it got detected and a Sophos Clean ran on he application. Does this mean I can Mark this as resolved in Sophos Central?
HI Jo Vanattenhoven
Yes you can create a ticket from central and also from this link.
yes, I suspect so. I assume you would have a threat case generated in Sophos Central you can review which shows the interaction of the thunderbird.exe process with the site classified as a C2 and if anything else looks of interest.
In the "Threat Analysis Center" - "Threat Cases" I assume you can find the C2 detection for this. The graph will show what took place. Clean would have run as a matter of course. If it's just a connection attempt that was blocked, then you can mark it as resolved. Maybe delete the email to prevent it happening again.