Seeing about six of our sites (all running the slightly older 9.408 release) getting APT alerts for ocsp.comodoca.com starting this morning (2017-02-21 ~9 am EST)?
Anyone else seeing this occur?
This thread was automatically locked due to age.
Seeing about six of our sites (all running the slightly older 9.408 release) getting APT alerts for ocsp.comodoca.com starting this morning (2017-02-21 ~9 am EST)?
Anyone else seeing this occur?
We are on 118544 and getting spammed by these alerts as well.
We still have this issues with pattern version 118544!
It occurs using this URL:
Using other URLs from the http.log, they work:
Seems that there is some kind of trojan in the string MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
The UTM says:
You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.
We have scanned all the "infected" computers and nothing was found. Maybe we have to set an exception for that false positives.
Hi Emile,
We are on pastern update 118544
But we are still seeing these alerts!!!
Just seen more emails from others, will follow up!
Could you check to see if these emails aren't spooled from earlier in the Mail Protection Log?
Emile
We're still seeing alerts on 118544 from one site as well, but they certainly seem to have slowed down in frequency.
We are at 118544 and our last alert was at: ocsp.comodoca.com C2/Generic-A Proxy 2017-02-21 10:58:32 in Eastern Time US.
Perhaps it's fixed?
michael.preis said:We still have this issues with pattern version 118544!
It occurs using this URL:
Using other URLs from the http.log, they work:
Seems that there is some kind of trojan in the string MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
The UTM says:
The content is blocked due to the following condition:You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.
We have scanned all the "infected" computers and nothing was found. Maybe we have to set an exception for that false positives.
I am also on 118544 and seeing all of the alerts mentioned above as well as alerts on urls like this one:
web request blocked, reputation limit | ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8+5VZ5/a9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ/lFeFh+isd96yUzJbvJmLVg0= | Category: Internet Services | Reputation: malicious
Not sure if related, but seems so.
Guess not:
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2017-02-21 11:34:28
Traffic blocked: yes