This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help wanted when launched a diagnose (SDU)

Hello,

as I'm receiving the message "Malicious connection detected: 'C2/Generic-B' at 'C:\program files (x86)\mozilla thunderbird\thunderbird.exe' (Technical Support reference: 1409585957)" in alerts and I want to ask for help, I launched a diagnose (SDU) from Sophos Central. After it 's finished I want to submit the zip file, but I'm not sure how or where I can enter this in the FileSubmission page. Or do I need to proceed differently?

Jo



This thread was automatically locked due to age.
Parents
  • On the device page in Sophos Central it will have a file name once complete: E.g.

    Sophos Diagnostic Utility

    Status Running
    Last Run a few seconds ago
    File Name 0019d6b7-83c0-149f-2a0e-188e5237df41_2021-03-29-22-07-03.zip

    You can provide that to support and they can find the file.

    The generated SDU, will be in C:\windows\temp\ for example: C:\Windows\Temp\sdu-4604\ where the number after the "sdu-" is the process id of mcsagent.exe. The process that kicked off the tool when it received the message from Central.

    It looks like you're mail client probably downloaded an email with a resource hosted on a site classified by Sophos as a command and control server. This would have triggered it.  If you look in:
    C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log

    You will see the data.

    The only action for these is for Sophos to block the request. 

  • Thank you Sophos User930. I see in Sophos Central that it got detected and a Sophos Clean ran on he application. Does this mean I can Mark this as resolved in Sophos Central?

Reply Children
  • yes, I suspect so.  I assume you would have a threat case generated in Sophos Central you can review which shows the interaction of the thunderbird.exe process with the site classified as a C2 and if anything else looks of interest.

    In the "Threat Analysis Center" - "Threat Cases" I assume you can find the C2 detection for this.  The graph will show what took place.  Clean would have run as a matter of course.  If it's just a connection attempt that was blocked, then you can mark it as resolved. Maybe delete the email to prevent it happening again.