Malicious traffic Detected C2:Generic-B at Windows;??svchost.exe

Hello, I have a problem finding how to properly Whitelist this service. I have tried adding a few rules, and none of those seem to be working.

Sophos is blocking one of my customers main software, and I have had to completely remove it so they could run their office leaving them unprotected. How do I go  about submitting a sample, because they have multiple locations, and I am receiving the same error daily at each office?

  • NTP does support exclusions, but you would have to exclude the "file" svchost.exe in the on-access scanning section.  I'm not sure you would want to do that long term but it's better than removing it.

    If you're Central then here is fine:

    https://central.sophos.com/manage/config/settings/scanning-exclusions

    File or Folder - svchost.exe.  You could include the path to make it more precise.  You should see it in the file: \programdata\sophos\Sophos network threat protection\config\policy.xml once set.

    That said, I would check the Sntpservice.log file under:
    \programdata\sohos\sophos threat protection\logs\

    If you locate the time detected in the logs and look for svchost.exe, it should give you the location it was connecting to.  That is the site that is triggering the alert.  If you feel this is wrong you can submit it via the form on this page:


    secure2.sophos.com/.../contact-support.aspx

    [Submit a sample]

    Regards,

    Jak

  • Hi  

    Could you help me out with the product details in which you are seeing this alerts?

    Form the alert that you have post , I assume it to be Sophos Endpoint protection -Cloud.

    If a C2 (command-and-control) detection alert has been triggered this means that the Sophos Endpoint Security product has detected communication with a suspect Command and Control site.

    Firstly we need to identify the process that triggered the C2 detection. The following steps must be performed on the endpoint on which the detection was triggered.

    • Open the SAV.txt log (C:\ProgramData\Sophos\Sophos Anti-Virus\logs)
    • Locate the C2 detection within this file (most recent entries are at the bottom of the file)
    • Make a note of the 'Process Path', the exact C2\<name> detection and the 'Threat ID'. The entry in the log will look like this: "File C:\Malware.exe" belongs to virus/spyware 'C2/Generic-B'. Threat ID: 174378266"

    Locate the file specified in the 'Process Path'.

    If it's a known file:
    Many C2 detections will highlight an application which is obviously malicious. However there are certain circumstances where a C2 detection may be triggered against seemingly legitimate applications such as 'svchost.exe'. In these cases it is likely that another application has called the legitimate process and further investigation will be required to identify the actual malicious application.

    If it's a unknown file:
    Follow the instructions how to submit the sample to Sophos

  • In reply to Gowtham Mani:

    Hi

    Gowtham Mani you are completely correct. 

     

    bambi long you shouldn't be looking to exclude that file. Your customer is most likely infected. A C2 detection is very rarely wrong. The svchost.exe file is not your problem, there is something else hiding on the machine that is connecting to a known command and control site and is using the legit svchost.exe to do it. 

     

    Please can you let us know the exact detection details you are getting from the logs/console. Gowtham Mani has provided you the instructions on the post above.