This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malicious traffic Detected C2:Generic-B at Windows;??svchost.exe

Hello, I have a problem finding how to properly Whitelist this service. I have tried adding a few rules, and none of those seem to be working.

Sophos is blocking one of my customers main software, and I have had to completely remove it so they could run their office leaving them unprotected. How do I go  about submitting a sample, because they have multiple locations, and I am receiving the same error daily at each office?



This thread was automatically locked due to age.
Parents
  • NTP does support exclusions, but you would have to exclude the "file" svchost.exe in the on-access scanning section.  I'm not sure you would want to do that long term but it's better than removing it.

    If you're Central then here is fine:

    https://central.sophos.com/manage/config/settings/scanning-exclusions

    File or Folder - svchost.exe.  You could include the path to make it more precise.  You should see it in the file: \programdata\sophos\Sophos network threat protection\config\policy.xml once set.

    That said, I would check the Sntpservice.log file under:
    \programdata\sohos\sophos threat protection\logs\

    If you locate the time detected in the logs and look for svchost.exe, it should give you the location it was connecting to.  That is the site that is triggering the alert.  If you feel this is wrong you can submit it via the form on this page:


    secure2.sophos.com/.../contact-support.aspx

    [Submit a sample]

    Regards,

    Jak

Reply
  • NTP does support exclusions, but you would have to exclude the "file" svchost.exe in the on-access scanning section.  I'm not sure you would want to do that long term but it's better than removing it.

    If you're Central then here is fine:

    https://central.sophos.com/manage/config/settings/scanning-exclusions

    File or Folder - svchost.exe.  You could include the path to make it more precise.  You should see it in the file: \programdata\sophos\Sophos network threat protection\config\policy.xml once set.

    That said, I would check the Sntpservice.log file under:
    \programdata\sohos\sophos threat protection\logs\

    If you locate the time detected in the logs and look for svchost.exe, it should give you the location it was connecting to.  That is the site that is triggering the alert.  If you feel this is wrong you can submit it via the form on this page:


    secure2.sophos.com/.../contact-support.aspx

    [Submit a sample]

    Regards,

    Jak

Children
No Data