This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Zbot-A Infection

According to my UTM I have a workstation infected with C2/Zbot-A.  Sophos Endpoint is detecting nothing on this machine.  I'm installing Malwarebytes to see if it'll catch anything.  I'm finding no trace of this infection.

My main issue/concern is why the Endpoint is not catching this very serious infection.



This thread was automatically locked due to age.
Parents Reply Children
  • It is not.  Also, that link is broken.

  • Hello kp12584,

    occasionally it's just a browser trying to access an IP classified as C2. This is caused by some content on a webpage which might not be outright malicious (not all C&C servers are singly dedicated but have other "duties" as well). BTW: Link fixed.

    Christian

  • Thanks!  I'm curious about MTD as I have the home license for the UTM.  I briefly looked for it but didn't see it.   Do I have access to it?

  • I don't believe that feature is in that version.

    You could create a 30-day trial of Sophos Central managed software, there is a link at: https://cloud.sophos.com in order to test it.  That has all features enabled.

    If you go down this route I would suggest uninstalling all of the endpoint software you have and rebooting before installing the Sophos Central managed client as there are common packages between the two and this would minimize the chance of problem

  • Thanks for that info. I may do that.  My main concern is if I do have the Zeus problem, then why didn't my Endpoint scanner catch it?  

  • Hello kp12584,

    why didn't my Endpoint scanner catch it
    perhaps because it has been cleverly updated to evade detection?
    AV products wouldn't need constant updating if they could detect all past, present, and future threats.
    Thus your main concern should be if you have indeed the Zeus problem. How often does the UTM report the C2 traffic, is there a pattern? Does it perhaps correlate with browser activity? Process Monitor could show the network activity on the endpoint and might help to identify the offending process.

    Christian