Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 1707 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advanced Threat - Is this a false positive?

Ryan McMillan

Got several alerts from different areas this morning with ATP being tripped.

What happened: Sophos Firewall detected malicious connections: 'C2/Generic-C' at 'C:\program files (x86)\Google\Chrome\application\chrome.exe' (Technical Support reference: 0)

Looking at firewall logs the IP that is being flagged is: 199.59.242.153

Anyone else, is this a false positive?



This thread was automatically locked due to age.
Parents
  • 0

    My 2 cents -- we're seeing this at a number of sites, it appears a marketing site called mapitquick.net --- the links embedded on some popular site out there) uses this IP for tracking purposes, etc. -- frankly we are just blocking the domain to prevent the annoying messages from popping up, frankly in this case probably a false positive, but do your own investigation.

    Meant to add -- this IP is probably a load balancer IP, etc. and maybe shares its use with another site that maybe was malicious, who knows.  Won't be the first time I've seen ATP freak out in this manner.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to Ryan McMillan

    Why are we blocking it?  Well, can't find much info on that domain, so we err on the side of caution and drop it.  You can figure out the reference if you have DNS logging enabled on your DC etc. -- that's how we figured out what domain triggered it.  Still haven't figured out what site contains the links, but we've had customers across several verticals all pop up with this randomly, in the past week.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to Ryan McMillan

    Why are we blocking it?  Well, can't find much info on that domain, so we err on the side of caution and drop it.  You can figure out the reference if you have DNS logging enabled on your DC etc. -- that's how we figured out what domain triggered it.  Still haven't figured out what site contains the links, but we've had customers across several verticals all pop up with this randomly, in the past week.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
  • 0 in reply to BrucekConvergent

    Also, FWIW, the Sophos MTR team (we have several customers on it) have not gotten excited about it either :)

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Unfiltered HTML