I'm having multiple UTMs reporting a C2/Generic-A from IP address: 45.33.9.234. I have scanned every server/PC that is reporting on and there is never anything there. I believe this is a false positive and I cannot get Sophos to help me out on this one. I've been hung up on twice and all the support reps can tell me is that the PCs are infected and that there's nothing they can do before hanging up.
Well that URL is certainly classified as a call home URL. Even with Sophos Home, the web protection piece returns:
If I just:
telnet 45.33.9.234 80
so the connection gets to the UTM, then looking under:
"Advanced Threat Protection" -> "Open Live Log"
Then I see:
So the client 192.168.0.10 is making an attempt to connect to that IP.
Do you have one or more clients in this list?
What operating system are they?
Do the timse of the alerts for say the same endpoint fit a pattern?
Could you run a tool such as Process Monitor (just network activity) during these times to see if a process is making a connection to the IP in question?
If no pattern can be established and you need to run something silently or for a longer period of time, you could install Sysmon on these clients (again if Windows) https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon. E.g. To install and monitor network connections being made:
Sysmon64.exe -i -n
If you get a new alert from a client running Sysmon you could then run (Powershell command prompt):
Get-Winevent -path "C:\windows\System32\Winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" | where-object {$_.message -match "DestinationIp: 45.33.9.234" } | out-gridview
To give you some info about the user/process etc... Consider a different output format as needed.
If you can get a process name, you'll be there :) If you had Sophos XG firewall and the Central Endpoint, then the client would give the firewall the process in question. https://vimeo.com/144918393 covers it to some degree.
Regards,
Jak
