Since yesterday I have been receiving a ton of automated emails from my UTM, subject line "[CRIT-861] Advanced Threat Protection Alert". In the body of these emails it always says the threat name is C2/Generic-A.
And the Source IP is always the IP address of one of two internal, Active Directory integrated DNS Servers.
I read the KB article to get an understanding of what the C2/Generic-A threat could be.
I assume this is what is happening: Something on my network keeps pinging my internal DNS server to do a lookup to some malicious site. The Sophos UTM does its job by blocking the connection, and an email alert is triggered.
Just to be sure, and at the request of Sophos support, I downloaded the Sophos Virus Removal Tool and ran it on both domain controllers (DNS servers). Both returned no threats.
How can I determine WHICH computer on my network is constantly doing these DNS lookups to the malicious IPs? As far as the UTM is concerned, the culprit is the 2 DNS servers but I think I've proven that it's not. I installed a free utility called DNSQuerySniffer (www.nirsoft.net) and left it running on both DNS servers.
Next, as a test, from my own workstation I opened my web browser and started browsing some sites. Then looked at DNSQuerySniffer on both DNS servers and saw my lookups were there. It showed the website I requested, the IP address and my machine name. Seems like this should work.
So, back on UTM I opened the aptp log and found the malicious IP addresses. But I searched both DNS servers and there were no results. So what gives? What am I missing?
I also enabled the DNS-Server analytical log in the Windows Event Viewer on both DNS servers. Let it run for about an hour. Couldn't find the IPs in here either. So how is it the UTM says these DNS servers are trying to access malicious external IPs yet I can't find any record of these IPs on either DNS log?
This thread was automatically locked due to age.
