as I'm receiving the message "Malicious connection detected: 'C2/Generic-B' at 'C:\program files (x86)\mozilla thunderbird\thunderbird.exe' (Technical Support reference: 1409585957)" in alerts and I want to ask for help, I launched a diagnose (SDU) from Sophos Central. After it 's finished I want to submit the zip file, but I'm not sure how or where I can enter this in the FileSubmission page. Or do I need to proceed differently?
On the device page in Sophos Central it will have a file name once complete: E.g.
You can provide that to support and they can find the file.
The generated SDU, will be in C:\windows\temp\ for example: C:\Windows\Temp\sdu-4604\ where the number after the "sdu-" is the process id of mcsagent.exe. The process that kicked off the tool when it received the message from Central.
It looks like you're mail client probably downloaded an email with a resource hosted on a site classified by Sophos as a command and control server. This would have triggered it. If you look in:C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SntpService.log
You will see the data.
The only action for these is for Sophos to block the request.
Thank you Sophos User930. I see in Sophos Central that it got detected and a Sophos Clean ran on he application. Does this mean I can Mark this as resolved in Sophos Central?
yes, I suspect so. I assume you would have a threat case generated in Sophos Central you can review which shows the interaction of the thunderbird.exe process with the site classified as a C2 and if anything else looks of interest.
In the "Threat Analysis Center" - "Threat Cases" I assume you can find the C2 detection for this. The graph will show what took place. Clean would have run as a matter of course. If it's just a connection attempt that was blocked, then you can mark it as resolved. Maybe delete the email to prevent it happening again.