This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM9 Advanced Threat Protection have threat name "C2/Generic-A" events for AD/DNS Server

Hi all:

I check our company Sophos UTM9 firewall, Advanced Threat Protection part, this have threat name "C2/Generic-A" events for AD/DNS Server as follow:

I use the sophos endpoint, malwarebytes & superantispyware to run full scan, but can't find any aviurs, Please help me to fix this problem, thanks a lot!

PS: is primary AD & DNS Server, is secondary AD & DNS Server.



Advanced Threat Protection

Total Events: 32

  User/Host Threat Name Destination Events Origin  
1 C2/Generic-A 5 AFCd
2 C2/Generic-A 5 AFCd
3 C2/Generic-A 1 AFCd
4 C2/Generic-A 1 AFCd
5 C2/Generic-A 2 AFCd
6 C2/Generic-A 2 AFCd
7 C2/Generic-A 1 AFCd
8 C2/Generic-A 1 AFCd
9 C2/Generic-A 1 AFCd
10 C2/Generic-A 2 AFCd

This thread was automatically locked due to age.
  • Same here, C2 alerts for all coming from my DNS Server:

    1     DNS_Server     C2/Generic-A     142       AFCd
    2     DNS_Server     C2/Generic-A     61         AFCd
    3     DNS_Server     C2/Generic-A     58         AFCd
    4     DNS_Server     C2/Generic-A     1 473    AFCd
    5     DNS_Server     C2/Generic-A     824       AFCd
    6     DNS_Server     C2/Generic-A     440       AFCd

    And unfortunately is a CNAME for

    Type Domain Name Canonical Name TTL
    CNAME 60 min
    CNAME 6 hrs
    CNAME 15 min
  • Thanks for your info., so I need the check or ignore the alerts?

  • You should always check things out just in case and even more so with the current amount of malicious activity going on Globally.

    Looking at Virus Total (not a perfect source I know) the only engine to classify that FQDN bad is currently Sophos:


    Although literally as I am typing this that has just changed!! Sophos has changed to UnRated!


    Looking at the "relations" page :

    There do seem to be a number of malicious files that seem to contact that FQDN , those files seem to be detected by most AV Engines though, so there is a reasonable chance this is a False Positive.

Reply Children
  • thanks a lot for your help, maybe this's false positive for bad friday~~~

  • For Info, the last alert I had for this was at 0925 UTC+1 , so it looks like Sophos have updated their detection.

  • but i saw the firewall ATP log, still have DNS server address to ext. IP records, but i can't find any malware at both AD/DNS Server....


  • Ok, so those IP reverse Resolve to :



    Some of those are root DNS servers! So I imagine they are also False positives.

    For completeness , You need to find the client(s) that are making those DNS requests.

    If you are using Windows DNS you will need to enable debug logging on both of your DNS Server to log all DNS requests and responses to a txt file. Only have that enabled for as long as you need it as it can be a little resource intensive.

    Once you have the logs you will need to go through them to see which client is making the request.