Don't miss out on new posts! Sign up!

Sophos false positive C2/Generic-A alerts

I wanted to put this out there to you guys and see if anyone else had a round of Sophos false positive C2/Generic-A alerts yesterday or the last couple of days with Sophos Advanced Threat Protection identifying a C2/Generic-A threat.  The exact message I was seeing on some UTM devices was the following:

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name….: C2/Generic-A
Time………..: 2015-04-30 16:27:26
Traffic blocked: yes

Source IP address or host:

When pulling up the web filter log, the activity that I saw which it blocked came from a device that was hitting Google’s public DNS server address at  I found a thread here on the Astaro forum from other users who were seeing some issues:

It seems that for me the ATP alerted for around 2 hours yesterday afternoon and then stopped for three devices on my network all of which were hitting the DNS address.  Then, the alerts and network traffic was no longer flagged.

After being directed to the free download utility from Sophos here:  and running the scan utility, the computer was found to be clean.

Let me know if you guys were seeing this across the board too.  All in all, I love the Sophos UTM product and would always rather be safe than sorry when it comes to security and malware, but it looks like Sophos may have been crying wolf yesterday due to a signature update possibly.

Don't miss out on new posts! Sign up!

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles


  1. Hi
    I have the same Alert on UTM9 SG230. Funny fact: The two detected hosts are the Domaincontrollers in that network. I’ve scanned both with several tools and found nothing. Nice to know, I’m not alone.
    Kind regards

  2. Same here, it looks DNS related. If I had to take a swing, its a DNS server its job to reach out to multiple places to the internet, it’s called resolving. There is no bad intend in it, its purely the core of a DNS server. so yes, for the DNS Server its a false positve.

    Now… What client requested the actual dns resolvement of a malicious site? This seems to be the core of the problem, also with me. A client is certainly to blame.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.