ERROR - "Sophos Firewall detected malicious traffic: 'C2/Generic-C' at 'C:\Windows\System32\svchost.exe' (Technica..."

I am getting the error status on 1 or 2 computers each day 

"Sophos Firewall detected malicious traffic: 'C2/Generic-C' at 'C:\Windows\System32\svchost.exe' (Technica..."

What is this?

  • Hello Paul Dunn,

    the analysis for C2/Generic-C is rather vague. What's in the endpoints' Anti-Virus log (%ProgramData%\Sophos\Sophos Anti-Virus\logs\SAV.txt)? Is indeed the client firewall (SCF) installed, if so please check its log for possible details. See also Dealing with a C2 detection.

    Christian

  • Hey Paul,

    did you find something? We are getting this error on some computers here too. I found the URL which is responsible for the threat: "sync.header.direct".

    Is it the same for you?

    I'm not that knowledgeable about domains. Is this a safe domain and the Sophos popup wrong?

     

    Kind regards

    Marc

     

  • In reply to Marc Drescher:

    Marc

    Haven't found anything yet.  Been a little busy.  All I do know is I am very disappointed with Sophos Central and all the problems we are having with it.  It does not seem to be working at all on about 40% of our machines (either it's giving so many false positives or just not running)

    We are truly sorry we purchased this software and 3 years of contract.  Seems like it is just a waste of money and we should have gone with a more reliable working solution.

    But now we are stuck :-(

  • In reply to Marc Drescher:

    Hi Marc,

    We are getting the exact same reports as you are across multiple machines all to the URL "sync.header.direct" It just started out of the blue a week or so ago and no matter what I try I cant confirm that it is actually malicious and not a false positive.

    Have you heard back from Sophos?

    Thanks

    Steve

  • In reply to QC:

    Of course I do not see anything useful or helpful in the log file :-(

     

    I 'tailed' the file, do you see anything useful?

     

    20171221 140943 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'.
    20171221 140943 Virus/spyware 'C2/Generic-C' is not removable.
    20171221 140950 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171221 140950 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171221 140951 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171221 140955 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'.
    20171221 140955 Virus/spyware 'C2/Generic-C' is not removable.
    20171221 141006 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171221 141006 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171221 141007 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.
    20171221 141011 File "C:\Windows\System32\svchost.exe" belongs to virus/spyware 'C2/Generic-C'.
    20171221 141011 Virus/spyware 'C2/Generic-C' is not removable.
    20171221 172504 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15341575 items.
    20171221 232504 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15341598 items.
    20171222 042504 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15341629 items.
    20171222 082505 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15341640 items.
    20171222 122504 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15341646 items.

  • In reply to Steve Goldsmith:

    We are getting the messages now all over the place and no help from Sophos :(

  • In reply to Paul Dunn:

    Hello Paul,

    indeed there's no further information - the odd thing though is the Threat ID: 0. It shouldn't be zero unless it's a double-generic detection - but then on what observations does it base its assessment. Did you open a ticket with Support?

    Christian

  • In reply to QC:

    Yes, I opened a ticket with support

     

    thanks

  • In reply to Paul Dunn:

    We are seeing similar issues since 12/18 with a number of machines:

    20171218 174443 File "C:\program files (x86)\Google\Chrome\application\chrome.exe" belongs to virus/spyware 'C2/Generic-C'. Threat ID: 0. No action taken.

    Is this a false positive issue with an update?

    Greg

  • In reply to Greg CT:

    We have also this issues for aaprox. 10 machines per week.

    It is connected to sync.header.direct or sync-eu.headre.direct.

    We are sure, that the svchost.exe on these machines are 100% O.K. (on disc NTFS system - we cannot by sure in memory).

     

  • In reply to Jiri Hadamek:

    We received confirmation from Sophos Support that this was a false positive detection on the domain header.direct. No new alerts should show up after patterns have been updated around 12/29.

  • In reply to Greg CT:

    The problem is still current. Both svchost.exe and chrome.exe continue to be recognized as a threat. Elimination only possible by completely uninstalling and reinstalling the client software.

  • In reply to Bülent Caliskan1:

    Hello Bülent Caliskan1,

    whatever the problem is.
    The C2 prefix indicates, let's put it this way,  questionable network traffic (C2 used to stand for Command&Control). It does not necessarily indicate that the named executable is compromised but it has made or attempted a connection to a certain address or site (usually logged in the MTD log). Like all IPSs MTD/SNTP isn't black and white - a lot depends on actual behaviour and behaviour over time. A reinstall clears the accumulated data and thus naturally it then works again for some time.

    Of course without any details I can't say whether this is an incorrect assessment, a mis-classification of the target site(s) or indeed something that shouldn't be simply disregarded and it might be a good idea to contact Support

    Christian