Hi everyone, looks like I have a similar situation to a few people.
NO Windows machines on the network, just OSX and Linux (QNAP). Woke up to over 1400 emails regarding ATP C2/Generic-A. But the originiating seems to be from AFCd? Any idea what this is?
Googling has given me no ideas. Any ideas anyone?
my reply from Sophos Support :
"Thank you for contacting Sophos. I've checked your details below. It looks as though DNS traffic to "app.anmorebcai.com" are being blocked by ATP. I've seen a few UTM cases like this over the past few days. Your internal network is not exploited and the ATP has done it's job in protecting you. We suggest blocking the source IPs to avoid the alert being triggered again. Regards, "
Hi, here the same situation.
But if the support is saying "DNS traffic TO "app.anmorebcai.com" are being blocked by ATP", the the traffic is coming from my firewall or my internal networks...or not?
In my logs I see UDP traffic FROM app.anmorebcai.com:
2016:03:20-06:00:18 <utm> afcd: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="22.214.171.124" dstip="<ext IP>" fwrule="63001" proto="17" threatname="C2/Generic-A" status="1" host="yebaa602496d.app.anmorencai.com" url="-" action="drop"Max.
here all ok.
We had only one event on 20th March. Everything OK since then.
No issues here since 3/20 either.
at least I can repeat the alert when dig @wan dns pqyoebe38318.app.anmorencai.com
We did some further investigation on that issue and it turned out that it was not related to an ATP pattern update. The cause for the issue happening is due to a botnet, that started to send UDP DNS pakets through malicious domains. Those DNS requests were detected by the ATP rather than being blocked by the packet filter. After the botnet stopped sending DNS requests which stopped ATP reporting the alerts.
We are working to improve the paket handling that those kind of traffic will be detected before it reaches the ATP engine.
This makes more sense :)
We are receiving this alert related to C2/Generic-A from the random domain "app.anmorencai.com" also in Tunisia.
we are facing some issues as explained by firnds here previously.
Attached a print screen Showing events since: April 30, 2016 15:54.
You said that the topic is related an update and you are working on to resolve it, please note that our Firmware and UTM version are as shown below :
The question is what is the best to do to not receive anymore these alerts ?
1- Wait for your update, wich we believe if we still receiving the alerts is not ready, otherwise would you explain how to implement it. You said a botnet error that need update, where is this update please and how to make it working ? since we have the last update why is not working yet ? stil under preparation by Saphos Team or did we miss something ?
2- We can Inform our National Cert Team in Tunisia to block this domain and we can give them an official frequest to do so with the atached explicative links and print screen and the DNS Whois of the IP addresses :
But did you recommand 2 ??
3- Solution 3 is configure manualy the UTM to not receive this alert anymore (someone said by blocking the host or the IP range) for us is better to do a global working one, we can investigate this way too, but we don't prefer it.
Since there is no answer on the topic since while we are asking where is the progress and how we should react on it, so your asap input is very higly needed and appreciated.
Friendly regards to All the Folks.
It looks like to me that its a DDoS technique that I remember starting back maybe around 2014. A request is made to an open recursive DNS server with a random subdomain. Causing the DNS server to do a look up because the FQDN would not be in cache. One would do this for different reasons. I'm guessing here that the source was spoof to the external ip of the UTM.
I'm not only seeing this in the UTM's ATP logs but in the logs of the external DNS servers at an ISP. It is annoying that this is still generating logs in ATP. I just wish there was a better description provided to the end users.
We've encountered the same from ATP. What I've noticed is that the computers that was subsequently flagged, almost all users were browsing with IE.
Those don't look like false positives. What do you find when you do an exhaustive malware scan on one of the computers?
Cheers - Bob