This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C2/Generic-A Originating from AFCd?

Hi everyone, looks like I have a similar situation to a few people.

NO Windows machines on the network, just OSX and Linux (QNAP).   Woke up to over 1400 emails regarding ATP C2/Generic-A.   But the originiating seems to be from AFCd?  Any idea what this is?

Googling has given me no ideas.    Any ideas anyone?



This thread was automatically locked due to age.
Parents
  • my reply from Sophos Support :

    "Thank you for contacting Sophos.

    I've checked your details below. It looks as though DNS traffic to "app.anmorebcai.com" are being blocked by ATP. I've seen a few UTM cases like this over the past few days. Your internal network is not exploited and the ATP has done it's job in protecting you. 

    We suggest blocking the source IPs to avoid the alert being triggered again.

    Regards, "

  • Hi, here the same situation.

    But if the support is saying "DNS traffic TO "app.anmorebcai.com" are being blocked by ATP",  the the traffic is coming from my firewall or my internal networks...or not?

    In my logs I see UDP traffic FROM app.anmorebcai.com:

    2016:03:20-06:00:18 <utm> afcd[8471]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="218.60.112.227" dstip="<ext IP>" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="yebaa602496d.app.anmorencai.com" url="-" action="drop"


    Max.

     

     

  • No, there's a DNS packet trying to resolve the domain, which is on a blacklist. And this packet is destined to your IP address.

    If you have multiple IP addresses on you firewall you get multiple mails to each of the addresses.  And if you have a DNAT to an internal server, your internal server is also listed as destination. 

  • Hi Folks,

    so far, our investigation showed that this was caused by an ATP pattern update which is already overwritten in the meantime. Do you have any other reports later than March, 20?

    Thank you

    Regards

    Dominic

  • no, so this was a sophos pattern update problem?

  • Hi Dominic,

    does this mean with the next pattern update AFCd alert will be resolved?

    Kind regards,
    Roland

    (Germany)

  • Mine continued until 3:25pm EST (March 20) which is when I changed my EXTERNAL IP address.

    If this was just a pattern issue, why would changing my external IP stop the activity??

    J

  • John Riley said:

    Mine continued until 3:25pm EST (March 20) which is when I changed my EXTERNAL IP address.

    If this was just a pattern issue, why would changing my external IP stop the activity??

    J

    Mine stopped at the same time, without changing anything on my end...so it might just be coincidence.

  • Hey,

    we fixed it via a pattern update and my question was if someone still experience any issues after March, 20?

    Regards

    Dominic

Reply Children