This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Generic-C detected by firewall not Sophos Endpoint

We have Sophos Endpoint Protection installed on all of our workstations. 4 times we've received alerts that our firewall has detected C2/generic-C at /usr/sbin/mDNSresponder. We've wiped the laptop and reisntalled each time, but we're losing faith in the veracity of this alert. Why isn't Sophos Endpoint Protection detecting anything while the firewall is?



This thread was automatically locked due to age.
Parents
  • Hello MichaelGombos,

    the C2 prefix indicates probably malicious network activity, most C2 detections on the endpoints are only seen when the MTD component is enabled (BTW, which OS on the workstations?)

    our firewall - which one is it? - has detected C2/generic-C at /usr/sbin/mDNSresponder.. A network firewall can't identify a process on the endpoint, the path suggests that a DNS request triggered the detection. AFAIK Endpoint MTD monitors only HTTP traffic. Did the firewall block the request?

    Consider the following: A rogue link (valid and unsuspicious name but resolving to a C&C IP) in a mail is clicked. The endpoint has to look up the name before it can attempt a connection that would subsequently be blocked. The firewall detects the C&C IP in the DNS reply packet and drops it. The endpoint will never attempt the connection, it won't even see that the URL would have resolved to a C&C server. Thus whatever protection software is running on the endpoint - it will never have a chance to detect something.

    Christian

Reply
  • Hello MichaelGombos,

    the C2 prefix indicates probably malicious network activity, most C2 detections on the endpoints are only seen when the MTD component is enabled (BTW, which OS on the workstations?)

    our firewall - which one is it? - has detected C2/generic-C at /usr/sbin/mDNSresponder.. A network firewall can't identify a process on the endpoint, the path suggests that a DNS request triggered the detection. AFAIK Endpoint MTD monitors only HTTP traffic. Did the firewall block the request?

    Consider the following: A rogue link (valid and unsuspicious name but resolving to a C&C IP) in a mail is clicked. The endpoint has to look up the name before it can attempt a connection that would subsequently be blocked. The firewall detects the C&C IP in the DNS reply packet and drops it. The endpoint will never attempt the connection, it won't even see that the URL would have resolved to a C&C server. Thus whatever protection software is running on the endpoint - it will never have a chance to detect something.

    Christian

Children
No Data