Seeing about six of our sites (all running the slightly older 9.408 release) getting APT alerts for ocsp.comodoca.com starting this morning (2017-02-21 ~9 am EST)?
Anyone else seeing this occur?
This thread was automatically locked due to age.
Seeing about six of our sites (all running the slightly older 9.408 release) getting APT alerts for ocsp.comodoca.com starting this morning (2017-02-21 ~9 am EST)?
Anyone else seeing this occur?
Same here, first one at 9:16am today.
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2017-02-21 09:16:35
Traffic blocked: yes
Firmware: 9.408-4
Hi All,
Sophos released an ATP Pattern update 14:50 GMT which cause ocsp.comodoca.com to be flagged as various forms of Malware. This occurred in Pattern Update #118540 and has been resolve in Pattern Update #118541 which was released at 15:20 GMT.
If your patterns aren’t updating, please manually update them by going to Management > Up2Date then go to the Configuration tab and change the Update Interval for patterns to Manual. Then return to the previous tab and press Up2Date for Patterns and return to configuration and switch it back to Automatic every 15 minutes.
If you are on 118541 already, you shouldn’t have any problems.
Emile
Hi All,
Sophos released an ATP Pattern update 14:50 GMT which cause ocsp.comodoca.com to be flagged as various forms of Malware. This occurred in Pattern Update #118540 and has been resolve in Pattern Update #118541 which was released at 15:20 GMT.
If your patterns aren’t updating, please manually update them by going to Management > Up2Date then go to the Configuration tab and change the Update Interval for patterns to Manual. Then return to the previous tab and press Up2Date for Patterns and return to configuration and switch it back to Automatic every 15 minutes.
If you are on 118541 already, you shouldn’t have any problems.
Emile
Emile, It's still happening and we are on 118544 !
We are on 118544 and getting spammed by these alerts as well.
We still have this issues with pattern version 118544!
It occurs using this URL:
Using other URLs from the http.log, they work:
Seems that there is some kind of trojan in the string MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
The UTM says:
You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.
We have scanned all the "infected" computers and nothing was found. Maybe we have to set an exception for that false positives.
Hi Emile,
We are on pastern update 118544
But we are still seeing these alerts!!!
Just seen more emails from others, will follow up!
Could you check to see if these emails aren't spooled from earlier in the Mail Protection Log?
Emile
We're still seeing alerts on 118544 from one site as well, but they certainly seem to have slowed down in frequency.
We are at 118544 and our last alert was at: ocsp.comodoca.com C2/Generic-A Proxy 2017-02-21 10:58:32 in Eastern Time US.
Perhaps it's fixed?
michael.preis said:We still have this issues with pattern version 118544!
It occurs using this URL:
Using other URLs from the http.log, they work:
Seems that there is some kind of trojan in the string MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
The UTM says:
The content is blocked due to the following condition:You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.
We have scanned all the "infected" computers and nothing was found. Maybe we have to set an exception for that false positives.
Guess not:
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2017-02-21 11:34:28
Traffic blocked: yes