Hi all:
I check our company Sophos UTM9 firewall, Advanced Threat Protection part, this have threat name "C2/Generic-A" events for AD/DNS Server as follow:
I use the sophos endpoint, malwarebytes & superantispyware to run full scan, but can't find any aviurs, Please help me to fix this problem, thanks a lot!
PS: 192.168.2.194 is primary AD & DNS Server, 192.168.2.12 is secondary AD & DNS Server.
Total Events: 32
Try to find out which endpoint is actually requesting this by turning on logging on the DNS on the DC's.
Best regards
Alex
-
I already turn on DNS debug log at AD server to record the in/out traffic, thanks a lot for your reply!
I find have ATP log again, but i check the DNS log can't find the any records about this threat.
Since today I have the same issue with my AD DCs. I checked them with McAfee ENS and found nothing. I reset the Advanced Threat Protection, maybe it was just a false positive.
Pattern is 183185
Same over here.
Since this morning i'm getting serveral DNS-proxy alerts for the adress "e13678.dspb.akamaiedge.net".
Seems to be a false postive when so many users seeing the same alerts...^^
I check the firewall, ATP, log, all is the connection drop records for AD/DNS server to akamaiedge.net IP address,
Is it all false positive? Thanks!
I think maybe some client pc have some problem....
Same here, C2 alerts for e13678.dspb.akamaiedge.net all coming from my DNS Server:
1 DNS_Server C2/Generic-A e13678.dspb.akamaiedge.net 142 AFCd2 DNS_Server C2/Generic-A e13678.dspb.akamaiedge.net 61 AFCd3 DNS_Server C2/Generic-A e13678.dspb.akamaiedge.net 58 AFCd4 DNS_Server C2/Generic-A e13678.dspb.akamaiedge.net 1 473 AFCd5 DNS_Server C2/Generic-A e13678.dspb.akamaiedge.net 824 AFCd6 DNS_Server C2/Generic-A e13678.dspb.akamaiedge.net 440 AFCd
And unfortunately e13678.dspb.akamaiedge.net is a CNAME for www.microsoft.com:
Thanks for your info., so I need the check or ignore the alerts?
You should always check things out just in case and even more so with the current amount of malicious activity going on Globally.
Looking at Virus Total (not a perfect source I know) the only engine to classify that FQDN bad is currently Sophos:
https://www.virustotal.com/gui/domain/e13678.dspb.akamaiedge.net/detection
Although literally as I am typing this that has just changed!! Sophos has changed to UnRated!
Looking at the "relations" page : https://www.virustotal.com/gui/domain/e13678.dspb.akamaiedge.net/relations
There do seem to be a number of malicious files that seem to contact that FQDN , those files seem to be detected by most AV Engines though, so there is a reasonable chance this is a False Positive.