This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Zbot-A Infection

According to my UTM I have a workstation infected with C2/Zbot-A. Sophos Endpoint is detecting nothing on this machine. I'm installing Malwarebytes to see if it'll catch anything. I'm finding no trace of this infection.

My main issue/concern is why the Endpoint is not catching this very serious infection.

This thread was automatically locked due to age.

Parents

0 jak over 7 years ago

Is the Malicious Traffic Detection (community.sophos.com/.../121607) feature working/enabled on the endpoint?
Cancel
Vote Up 0 Vote Down

Cancel
0 kp12584 over 7 years ago in reply to jak

It is not. Also, that link is broken.
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 7 years ago in reply to kp12584

Hello kp12584,

occasionally it's just a browser trying to access an IP classified as C2. This is caused by some content on a webpage which might not be outright malicious (not all C&C servers are singly dedicated but have other "duties" as well). BTW: Link fixed.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 kp12584 over 7 years ago in reply to QC

Thanks! I'm curious about MTD as I have the home license for the UTM. I briefly looked for it but didn't see it. Do I have access to it?
Cancel
Vote Up 0 Vote Down

Cancel
0 jak over 7 years ago in reply to kp12584

I don't believe that feature is in that version.

You could create a 30-day trial of Sophos Central managed software, there is a link at: https://cloud.sophos.com in order to test it. That has all features enabled.

If you go down this route I would suggest uninstalling all of the endpoint software you have and rebooting before installing the Sophos Central managed client as there are common packages between the two and this would minimize the chance of problem
Cancel
Vote Up 0 Vote Down

Cancel
0 kp12584 over 7 years ago in reply to jak

Thanks for that info. I may do that. My main concern is if I do have the Zeus problem, then why didn't my Endpoint scanner catch it?
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 7 years ago in reply to kp12584

Hello kp12584,

why didn't my Endpoint scanner catch it
perhaps because it has been cleverly updated to evade detection? AV products wouldn't need constant updating if they could detect all past, present, and future threats.
Thus your main concern should be if you have indeed the Zeus problem. How often does the UTM report the C2 traffic, is there a pattern? Does it perhaps correlate with browser activity? Process Monitor could show the network activity on the endpoint and might help to identify the offending process.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 7 years ago in reply to kp12584

Hello kp12584,

why didn't my Endpoint scanner catch it
perhaps because it has been cleverly updated to evade detection? AV products wouldn't need constant updating if they could detect all past, present, and future threats.
Thus your main concern should be if you have indeed the Zeus problem. How often does the UTM report the C2 traffic, is there a pattern? Does it perhaps correlate with browser activity? Process Monitor could show the network activity on the endpoint and might help to identify the offending process.

Christian
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data