I wanted to put this out there to you guys and see if anyone else had a round of Sophos false positive C2/Generic-A alerts yesterday or the last couple of days with Sophos Advanced Threat Protection identifying a C2/Generic-A threat. The exact message I was seeing on some UTM devices was the following:
Advanced Threat Protection
A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name….: C2/Generic-A
Time………..: 2015-04-30 16:27:26
Traffic blocked: yes
Source IP address or host: 192.168.1.20
When pulling up the web filter log, the activity that I saw which it blocked came from a device that was hitting Google’s public DNS server address at 188.8.131.52. I found a thread here on the Astaro forum from other users who were seeing some issues: https://www.astaro.org/gateway-products/network-protection-firewall-nat-qos-ips/57171-advanced-threat-protection-google-dns-8-8-8-8-false-positive-3.html
It seems that for me the ATP alerted for around 2 hours yesterday afternoon and then stopped for three devices on my network all of which were hitting the 184.108.40.206 DNS address. Then, the alerts and network traffic was no longer flagged.
After being directed to the free download utility from Sophos here: https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx and running the scan utility, the computer was found to be clean.
Let me know if you guys were seeing this across the board too. All in all, I love the Sophos UTM product and would always rather be safe than sorry when it comes to security and malware, but it looks like Sophos may have been crying wolf yesterday due to a signature update possibly.