Virus C2/Virut-A

If the threat is attributed to your DNS server, the problem MAY be a client that is attempting a risky DNS lookup, which UTM blocks.   If so, turn on DNS logging to find the real culprit.

If you have the client device identified, it is always safest to rebuild, but if you are committed to cleaning it:

Since active malware may attack your cleaning tool, best practice is:

- Remove the infected machine from the network, so that it cannot attack your other machines and cannot phone home for instructions.

- Download cleaning tool on a non-infected machine and burn it to CD.

- Boot into safe mode and install or run from the CD.

- Run the cleaning tool with full scan options

- Reconnect to the network and reboot into Safe Mode with networking.  Update the cleaning tool's configuration and run it again.

Do not use flash drives as the malware could infect them and spread itself that way.

Some infections modify device drivers so that you cannot remove them.

Some people think Malware Bytes is best at virus removal.  You could try theirs.

If the threat is attributed to your DNS server, the problem MAY be a client that is attempting a risky DNS lookup, which UTM blocks.   If so, turn on DNS logging to find the real culprit.

If you have the client device identified, it is always safest to rebuild, but if you are committed to cleaning it:

Since active malware may attack your cleaning tool, best practice is:

- Remove the infected machine from the network, so that it cannot attack your other machines and cannot phone home for instructions.

- Download cleaning tool on a non-infected machine and burn it to CD.

- Boot into safe mode and install or run from the CD.

- Run the cleaning tool with full scan options

- Reconnect to the network and reboot into Safe Mode with networking.  Update the cleaning tool's configuration and run it again.

Do not use flash drives as the malware could infect them and spread itself that way.

Some infections modify device drivers so that you cannot remove them.

Some people think Malware Bytes is best at virus removal.  You could try theirs.

We are getting the same false positives when DNS tries to resolve a newer (recently registered) domain.

messageid="18010" log_type="ATP" log_component="IPS" log_subtype="Drop" user="" protocol="UDP" src_port="31199" dst_port="53" src_ip="10.0.0.246" dst_ip="8.8.8.8" url="nrsmed.com" threat="C2/Virut-A" event_id="3A1119C1-E1A2-4D7E-84E0-0231FA4950F2" type="Standard" host_login_user="" host_process_user="" endpoint_id="" execution_path=""

Hi Dirk and welcome to the UTM Community!

I'm not seeing that warning.  Was that just temporary yesterday?  That domain was registered in 2016.

Cheers - Bob

the problem was NOT temp.  It was happening for several weeks now since we introduced the new sophos firewall into our production environment.

I had to exclude my two DNS servers from ATP in order to resolve this name through the firewall.

I can't reproduce the issue with DNS lookups, Dirk, but I do get the following warning in all browsers:

How does your configuration compare to DNS best practice?

Cheers - Bob