Hello,
since enabling MTD in 10.6.3 a few endpoints (just a handful out of several thousand) show C2/Generic-B alerts. So far so good. One or two were false positives - apparently a browser is directed to a rogue site but for whatever reason the request isn't blocked as C2/Generic-A by Web Protection.
The other cases are rather intractable. The C2/Generic-B analysis suggests:
- Identify the malicious process (this will be the process against which C2/Generic-B is reported).
- If the process is unknown then terminate the process.
- Follow the instructions here to submit a copy of the malicious process to Sophos.
Identify: In one case there are alerts for three processes, one part of a questionable tool, another regsrv32.exe (the disk image is in the proper location and genuine), the third svchost.exe (again the file is clean). For the latter the question is - which of the several svchost.exes is it? Neither SAV.txt nor SntpService.log contain the PID
Terminate: regsrv32.exe apparently doesn't run continuously, as for svchost.exe see above - and anyway the disk files are genuine and clean
Submit: I did send samples (two cases) of the other malicious processes (together with other files from their directory) only to get a reply from a technician the next day telling me that Labs asked why I did send the samples and whether they are false/positive or false/negative? Apart from the fact that all the information I have is the obscure Threat-ID/Reference and the URLs (from the sntpservice.log - not mentioned in the analysis, and apparently it logs all accesses so you have to find the offending ones) for which I can't tell whether they belong to C&C servers - what would be a false/negative in this context???
I've dutifully replied with an explanation and some additional information (for one case the SAV.txt log). No response, and SophsServ shows that both cases have been closed yesterday.
Has anyone already had any real success with MTD? So far I couldn't make out an added value ...
Christian
This thread was automatically locked due to age.