Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

lookingprovide.com DNS query

TosunOmer

Hello,

I am using Sophos XGS 3100 UTM device. For about 5-6 months, a DNS query has been made to lookingprovide.com every day and every hour of the day. Sophos ATP blocks this query (C2/Generic-A). When I examine the log records, I see that the source IP address making the query is the DNS servers of the ISP (My DC and ADC servers are forwarding to the ISP).

I changed my DNS redirects, used different DNS. I tried a few of them under the name of secure DNS on the Internet, but the problem still persists.

It's pretty weird so far. When I examine the DNS log records of my AD and ADC servers, I see that this query comes from Sophos UTM. So this query is not a user endpoint, this query comes to my DNS server via Sophos UTM.

Even when all my endpoints are powered off, this query comes and is blocked by ATP. As I said, this problem has been going on for about 5-6 months and I am getting this warning from ATP every hour of every day.

It is only detected as malicious by Sophos in URL scanning with virustotal.

I searched on Sophos Community, searched different forums but got no results.

Thank you in advance for your help.



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, These detection alerts can be seen on Sophos Firewall or UTM when the Advanced Threat Protection module detects an outbound communication with a known C2 server. In some situations, Sophos Web Protection may also flag a C2/Generic-A alert on the endpoint if it detects a browser initiating traffic towards a high-risk URL. The communication will be blocked on the firewall, and the offending IP address/es need to be isolated and investigated along the lines of an active malware infection. A C2/Generic-A alert covers a broad range of communication and is not limited to a single protocol or a process like C2/Generic-B which only monitors HTTP traffics from non-browser processes. Follow the steps in Sophos Central Endpoint: Investigate C2/Generic-C detection for a Sophos-protected endpoint that triggers a C2/Generic-A alert.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.