This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM9 Advanced Threat Protection have threat name "C2/Generic-A" events for AD/DNS Server

Hi all:

I check our company Sophos UTM9 firewall, Advanced Threat Protection part, this have threat name "C2/Generic-A" events for AD/DNS Server as follow:

I use the sophos endpoint, malwarebytes & superantispyware to run full scan, but can't find any aviurs, Please help me to fix this problem, thanks a lot!

PS: 192.168.2.194 is primary AD & DNS Server, 192.168.2.12 is secondary AD & DNS Server.

 

 

Advanced Threat Protection
 

Total Events: 32

  User/Host Threat Name Destination Events Origin  
1 192.168.2.194 C2/Generic-A 104.31.83.243 5 AFCd
2 192.168.2.194 C2/Generic-A 104.31.83.243 5 AFCd
3 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
4 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
5 192.168.2.194 C2/Generic-A mi.kenal-cn.com 2 AFCd
6 192.168.2.194 C2/Generic-A mi.kenal-cn.com 2 AFCd
7 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
8 192.168.2.194 C2/Generic-A mi.kenal-cn.com 1 AFCd
9 192.168.2.12 C2/Generic-A mi.kenal-cn.com 1 AFCd
10 192.168.2.194 C2/Generic-A mi.kenal-cn.com 2 AFCd



This thread was automatically locked due to age.
Parents Reply Children
  • Ok, so those IP reverse Resolve to :

     

    IP FQDN
    184.26.161.192 a184-26-161-192.deploy.static.akamaitechnologies.com
    192.55.83.30 m.gtld-servers.net
    192.43.172.30 i.gtld-servers.net
    192.42.93.30 g.gtld-servers.net
    2.16.40.192 a2-16-40-192.deploy.static.akamaitechnologies.com
    193.108.88.0 a193-108-88-0.deploy.static.akamaitechnologies.com

    195.101.36.192

    a95-101-36-192.deploy.static.akamaitechnologies.com
    192.41.162.30 l.gtld-servers.net
    192.55.83.30 m.gtld-servers.net

    Some of those are root DNS servers! So I imagine they are also False positives.

    For completeness , You need to find the client(s) that are making those DNS requests.

    If you are using Windows DNS you will need to enable debug logging on both of your DNS Server to log all DNS requests and responses to a txt file. Only have that enabled for as long as you need it as it can be a little resource intensive.

    Once you have the logs you will need to go through them to see which client is making the request.