Endpoint appears as malicious behavior, but shouldn't detecting c2 be the purview of IPS? Why is it showing malicious behavior?
Or is the ips module already involved?
This thread was automatically locked due to age.
Thank you for reaching out to the community forum.
Regarding this detection, you may refer to those documents regarding this and to how the naming convention has been given to those detections.
The behavioral C2 detections are made by our behavioral engine. The behavioral engine draws signals from multiple product components, including file analysis, process activity, script activity, online lookups, and other sources. In this case, the reputation of the URL being looked up would have been a factor in the detection.
The last section of this knowledgebase article can help you identify more info about the specific detection.
hello, as mentioned in the article, the detection of C2 will not prevent, but will trigger a memory scan, and if the memory scan is determined to be malicious, it will be cleaned. I am curious, why did c2 not immediately block the connection and prompt? Or, why is c2 not detected? If the memory scan is secure, isn't it a successful hack? If you indicate at the c2 connection stage, we can make up the payment even if the memory scan miss
hello, as mentioned in the article, the detection of C2 will not prevent, but will trigger a memory scan, and if the memory scan is determined to be malicious, it will be cleaned. I am curious, why did c2 not immediately block the connection and prompt? Or, why is c2 not detected? If the memory scan is secure, isn't it a successful hack? If you indicate at the c2 connection stage, we can make up the payment even if the memory scan miss