Characteristics
Affected Operating Systems
C2/Generic-B is the threat name associated with remote command and control (C&C) servers used by malware in callhome connections.
Customers will see the C2/Generic-B detection when Sophos detects a process running on an endpoint which is communicating with a remote C&C server. The detection indicates that the machine may be compromised with malware.
The network traffic will most likely have resulted from active malware on an infected machine that is attempting to connect to the C&C server. Such C&C connections are normally for one of the following reasons:
- to report the infection
- to download configuration data
- to exfiltrate stolen data
The network traffic detection on the endpoint triggers additional run-time process scanning to confirm the presence of malware that when detected will be remediated. When the additional run-time process scanning confirms the presence of malware, the C2/Generic-B event will not be presented and instead the associated malware event notification will take precedence.
A C2/Generic-B event notification indicates that the additional run-time process scanning was not able to confirm the presence of malware and that the network traffic was to a known remote C&C server.
Reports of C2/Generic-B should trigger further investigation on the affected endpoint(s) to identify and remove any running malware.