I keep getting C2/Zbot-A false-positives

Please provide more details about the messages you get.

UTM recognize bot-traffic if device trying to communicating with a known Zbot-A host/server. Or via IPS pattern.

If your system (or your internal DNS-Server) try to resolve DNS-Names associated with a Bot-server you may see the IP from DNS-Server ... not from infected host.

You should ask yourself, why does an internal device communicate with ISP resources or the UTM?

Here's a sample email notification I'm getting:

Advanced Threat Protection

A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Zbot-A (SID: 26267)

Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Zbot-A.aspx

Time...........: 2019-03-14 15:31:15

Traffic blocked: yes

Source IP address or host: <host name of an internal laptop>  

--

System Uptime      : 1 day 18 hours 26 minutes

System Load        : 0.62

System Version     : Sophos UTM 9.601-5

Please refer to the manual for detailed instructions.

The send limit for this notification has been reached. No further notifications of this type will be sent during this period.

And here's a log entry from Sophos itself:

2019:03:13-14:13:29 firewall afcd[6868]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="185.244.30.173" dstip="10.150.1.10" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="uvgczsuidrtg.com" url="-" action="drop"
2019:03:13-16:20:28 firewall afcd[6868]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="185.244.30.173" dstip="10.150.1.10" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="uvgczsuidrtg.com" url="-" action="drop"
2019:03:13-18:08:03 firewall afcd[6868]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="185.244.30.173" dstip="10.150.1.10" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="uvgczsuidrtg.com" url="-" action="drop"

The source IPs are external, the internal IPs are all behind the firewall and can't be accessed at all.

Finally, here's the Advanced Threat Protection log from the Network Protection section:

These are the most weird. The first entry has both the source and destination IP listing external stuff (and isn't related to the Zbot notifications). Entries 2 and 3 are from our internal network machines to our ISPs router. The final ones are from our internal machines to Sophos itself (using an internal-only DNS name).

Again, I've ran checks on these machines to see if they are infected, and have not found anything, including installing the Sophos AV itself and I'm very confused (and somewhat worried)...

EDIT:

I just realized that the log files in Sophos (the actual TEXT log files) don't contain ANYTHING for the Zbot entries! The 3 records are for the "C2/Generic-A" detection and I checked a number of months back! Shouldn't these records be in the "Advanced Threat Detection" logs?

look to the IPS log.

because you see "IPS" as event-source you should find more details here.

The external to internal communtcation may be an answer-packet containing striking content.

interesting are the protocolls used for communication (DNS/HTTP/...)

Here's all I found (related to the entries above) in the IPS logs:

2019:03:14-12:44:53 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.4.56" dstip="10.150.1.34" proto="17" srcport="58631" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2019:03:14-12:44:53 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.1.40" dstip="185.68.25.49" proto="17" srcport="53602" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2019:03:14-12:44:54 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.2.10" dstip="185.68.25.49" proto="17" srcport="64307" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
2019:03:14-15:31:15 firewall snort[5508]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="10.150.4.4" dstip="10.150.1.34" proto="17" srcport="55503" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

here you see 4 different hosts asking for the name of Zeus CNC Server.
10.150.4.56
10.150.1.40
10.150.2.10
10.150.4.4

If one of these systems is an internal DNS Server, you should enable logging at this server and look for the orign of the DNS request.

At the other you should try to clean/replace the system.

A well-made virus / Trojan will not be visible to the scanner while the system is running.
You can try to boot an offline scanner from CD.
But ... we have seen a system where no virus can be found.
After installing a new hard drive, the same operating system and all applications, the messages disappeared.

Two of these are internal DNS servers used primarily to local use (serving only as a backup for external DNS queries). They're both running Windows Server and, in theory at least, shouldn't have anything on them, since they were fairly recently reinstalled anyway. I'll see about enabling logging...

EDIT: Hmm, I'm having a really hard time enabling logging on our Windows Servers for some reason. Anyway, that's for me to solve. I was wondering, since the UTM also acts as a DNS forwarder, any chance to get logs for that? I know I can use TCPDUMP but I don't want to leave a console window running forever - I need an actual log for when a hit finally happens to be able to check what's going on.

Cześć Mateusz,

Agreed with Dirk, these are not false positives.

Cheers - Bob

because your internal clients don't ask the Sophos Sg directly but the internal DNS servers, the SG only sees the internal DNS servers as source.

You should check the logfiles form your internal DNS-Server.

Hmm, this is highly disconcerting.

I'll probably reconfigure the DNS settings so that the UTM is the only DNS server for external addresses. That should make it easier to figure out where the culprits are.

I'm not sure what the next step should be, however. A nuke-from-orbit on the identified machines is, of course, a possibility. But I would prefer it if I could selectively remove the problem, rather than do a whole reinstall. I'm also a bit worried how this came to be. Well, someone clearly installed something they weren't supposed to on their machine, this much is obvious, but I'd like to know what exactly that person did - it's very unlikely someone installed anything malicious on purpose, so finding the offending application / action might be difficult... But the machines are all running latest Defender updates... (Yes, I know Defender isn't the best, but it's not the worst either.)

Mateusz , what happens if you boot the devices from a Kaspersky Rescue Disk?

Cheers - Bob