Sophos UTM9 Advanced Threat Protection have threat name "C2/Generic-A" events for AD/DNS Server

Hi all:

I check our company Sophos UTM9 firewall, Advanced Threat Protection part, this have threat name "C2/Generic-A" events for AD/DNS Server as follow:

I use the sophos endpoint, malwarebytes & superantispyware to run full scan, but can't find any aviurs, Please help me to fix this problem, thanks a lot!

PS: 192.168.2.194 is primary AD & DNS Server, 192.168.2.12 is secondary AD & DNS Server.

 

 

Advanced Threat Protection
 

Total Events: 32

  User/Host Threat Name Destination Events Origin  
1 192.168.2.194 C2/Generic-A 104.31.83.243 5 AFCd
2 192.168.2.194 C2/Generic-A 104.31.83.243 5 AFCd
3 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
4 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
5 192.168.2.194 C2/Generic-A mi.kenal-cn.com 2 AFCd
6 192.168.2.194 C2/Generic-A mi.kenal-cn.com 2 AFCd
7 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
8 192.168.2.194 C2/Generic-A mi.kenal-cn.com 1 AFCd
9 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
10 192.168.2.194 C2/Generic-A mi.kenal-cn.com 2 AFCd

  • Try to find out which endpoint is actually requesting this by turning on logging on the DNS on the DC's.

    Best regards 

    Alex 

  • In reply to Alexander Busch:

    I already turn on DNS debug log at AD server to record the in/out traffic, thanks a lot for your reply!

  • In reply to Alexander Busch:

    I find have ATP log again, but i check the DNS log can't find the any records about this threat.

  • Since today I have the same issue with my AD DCs. I checked them with McAfee ENS and found nothing. I reset the Advanced Threat Protection, maybe it was just a false positive.

     

    Pattern is 183185

     

  • In reply to Norman Damerius:

    Same over here.

    Since this morning i'm getting serveral DNS-proxy alerts for the adress "e13678.dspb.akamaiedge.net".

    Seems to be a false postive when so many users seeing the same alerts...^^

  • In reply to Norman Damerius:

    I check the firewall, ATP, log, all is the connection drop records for AD/DNS server to akamaiedge.net IP address,

    Is it all false positive? Thanks!

     

  • In reply to TheBalmasque:

    I think maybe some client pc have some problem....

  • Same here, C2 alerts for e13678.dspb.akamaiedge.net all coming from my DNS Server:

    1     DNS_Server     C2/Generic-A     e13678.dspb.akamaiedge.net     142       AFCd
    2     DNS_Server     C2/Generic-A     e13678.dspb.akamaiedge.net     61         AFCd
    3     DNS_Server     C2/Generic-A     e13678.dspb.akamaiedge.net     58         AFCd
    4     DNS_Server     C2/Generic-A     e13678.dspb.akamaiedge.net     1 473    AFCd
    5     DNS_Server     C2/Generic-A     e13678.dspb.akamaiedge.net     824       AFCd
    6     DNS_Server     C2/Generic-A     e13678.dspb.akamaiedge.net     440       AFCd

    And unfortunately e13678.dspb.akamaiedge.net is a CNAME for www.microsoft.com:

    Type Domain Name Canonical Name TTL
           
    CNAME www.microsoft.com www.microsoft.com-c-3.edgekey.net 60 min
    CNAME www.microsoft.com-c-3.edgekey.net www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net 6 hrs
    CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net e13678.dspb.akamaiedge.net 15 min
  • In reply to CyrusLeander:

    Thanks for your info., so I need the check or ignore the alerts?

  • In reply to Kenny Lau:

    You should always check things out just in case and even more so with the current amount of malicious activity going on Globally.

    Looking at Virus Total (not a perfect source I know) the only engine to classify that FQDN bad is currently Sophos:

    https://www.virustotal.com/gui/domain/e13678.dspb.akamaiedge.net/detection

     

    Although literally as I am typing this that has just changed!! Sophos has changed to UnRated!

     

    Looking at the "relations" page : https://www.virustotal.com/gui/domain/e13678.dspb.akamaiedge.net/relations

    There do seem to be a number of malicious files that seem to contact that FQDN , those files seem to be detected by most AV Engines though, so there is a reasonable chance this is a False Positive.

  • In reply to CyrusLeander:

    thanks a lot for your help, maybe this's false positive for bad friday~~~

  • In reply to Kenny Lau:

    For Info, the last alert I had for this was at 0925 UTC+1 , so it looks like Sophos have updated their detection.

  • In reply to CyrusLeander:

    but i saw the firewall ATP log, still have DNS server address to ext. IP records, but i can't find any malware at both AD/DNS Server....

     

  • In reply to Kenny Lau:

    Ok, so those IP reverse Resolve to :

     

    IP FQDN
    184.26.161.192 a184-26-161-192.deploy.static.akamaitechnologies.com
    192.55.83.30 m.gtld-servers.net
    192.43.172.30 i.gtld-servers.net
    192.42.93.30 g.gtld-servers.net
    2.16.40.192 a2-16-40-192.deploy.static.akamaitechnologies.com
    193.108.88.0 a193-108-88-0.deploy.static.akamaitechnologies.com

    195.101.36.192

    a95-101-36-192.deploy.static.akamaitechnologies.com
    192.41.162.30 l.gtld-servers.net
    192.55.83.30 m.gtld-servers.net

    Some of those are root DNS servers! So I imagine they are also False positives.

    For completeness , You need to find the client(s) that are making those DNS requests.

    If you are using Windows DNS you will need to enable debug logging on both of your DNS Server to log all DNS requests and responses to a txt file. Only have that enabled for as long as you need it as it can be a little resource intensive.

    Once you have the logs you will need to go through them to see which client is making the request.

  • Hi  

    Could you please provide the firmware version and pattern version number from your UTM? 

    You can find the firmware version from the GUI Management > Up2Date > Firmware/Pattern. 

    Thanks,