This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A Originating from AFCd?

Hi everyone, looks like I have a similar situation to a few people.

NO Windows machines on the network, just OSX and Linux (QNAP).   Woke up to over 1400 emails regarding ATP C2/Generic-A.   But the originiating seems to be from AFCd?  Any idea what this is?

Googling has given me no ideas.    Any ideas anyone?



This thread was automatically locked due to age.
Parents Reply
  • Hello Dominic

    We are receiving this alert related to C2/Generic-A from the random domain "app.anmorencai.com" also in Tunisia.

    we are facing some issues as explained by firnds here previously.

    Attached a print screen Showing events since: April 30, 2016 15:54.

    You said that the topic is related an update and you are working on to resolve it, please note that our Firmware and UTM version are as shown below :

    Firmware version: 9.355-1
    Pattern version: 100306

    The question is what is the best to do to not receive anymore these alerts ?


    1- Wait for your update, wich we believe if we still receiving the alerts is not ready, otherwise would you explain how to implement it. You said a botnet error that need update, where is this update please and how to make it working ? since we have the last update why is not working yet ? stil under preparation by Saphos Team or did we miss something  ?


    2- We can Inform our National Cert Team in Tunisia to block this domain and we can give them an official frequest to do so with the atached explicative links and print screen and the DNS Whois of the IP addresses :

     https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx

    https://who.is/whois-ip/ip-address/180.97.161.226/

    https://who.is/whois-ip/ip-address/218.60.112.226/

    But did you recommand  2 ??

    3- Solution 3 is configure manualy  the UTM to not receive this alert anymore (someone said by blocking the host or the IP range)  for us is better to do a global working one, we can investigate this way too, but we don't prefer it.


     Since there is no answer on the topic since while we are asking where is the progress and how we should react on it, so your asap input is very higly needed and appreciated.


    Friendly regards to All the Folks.



Children
No Data