This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A Originating from AFCd?

Hi everyone, looks like I have a similar situation to a few people.

NO Windows machines on the network, just OSX and Linux (QNAP).   Woke up to over 1400 emails regarding ATP C2/Generic-A.   But the originiating seems to be from AFCd?  Any idea what this is?

Googling has given me no ideas.    Any ideas anyone?



This thread was automatically locked due to age.
Parents Reply Children
  •  Hey Folks,

    We did some further investigation on that issue and it turned out that it was not related to an ATP pattern update. The cause for the issue happening is due to a botnet, that started to send UDP DNS pakets through malicious domains. Those DNS requests were detected by the ATP rather than being blocked by the packet filter. After the botnet stopped sending DNS requests which stopped ATP reporting the alerts.

     We are working to improve the paket handling that those kind of traffic will be detected before it reaches the ATP engine.

    Best regards,

    Dominic Schmidl

  • This makes more sense :)  

    Thanks Dominic!

  • Hello Dominic

    We are receiving this alert related to C2/Generic-A from the random domain "app.anmorencai.com" also in Tunisia.

    we are facing some issues as explained by firnds here previously.

    Attached a print screen Showing events since: April 30, 2016 15:54.

    You said that the topic is related an update and you are working on to resolve it, please note that our Firmware and UTM version are as shown below :

    Firmware version: 9.355-1
    Pattern version: 100306

    The question is what is the best to do to not receive anymore these alerts ?


    1- Wait for your update, wich we believe if we still receiving the alerts is not ready, otherwise would you explain how to implement it. You said a botnet error that need update, where is this update please and how to make it working ? since we have the last update why is not working yet ? stil under preparation by Saphos Team or did we miss something  ?


    2- We can Inform our National Cert Team in Tunisia to block this domain and we can give them an official frequest to do so with the atached explicative links and print screen and the DNS Whois of the IP addresses :

     https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

    https://who.is/whois-ip/ip-address/180.97.161.226/

    https://who.is/whois-ip/ip-address/218.60.112.226/

    But did you recommand  2 ??

    3- Solution 3 is configure manualy  the UTM to not receive this alert anymore (someone said by blocking the host or the IP range)  for us is better to do a global working one, we can investigate this way too, but we don't prefer it.


     Since there is no answer on the topic since while we are asking where is the progress and how we should react on it, so your asap input is very higly needed and appreciated.


    Friendly regards to All the Folks.



  • Dominic, 

    It looks like to me that its a DDoS technique that I remember starting back maybe around 2014.  A request is made to an open recursive DNS server with a random subdomain. Causing the DNS server to do a look up because the FQDN would not be in cache. One would do this for different reasons. I'm guessing here that the source was spoof to the external ip of the UTM.

    I'm not only seeing this in the UTM's ATP logs but in the logs of the external DNS servers at an ISP.  It is annoying that this is still generating logs in ATP. I just wish there was a better description provided to the end users. 

    Tony