Sophos UTM Advanced Threat Protection–Your Domain Controller is Botnet?

Some case you see the alert from Sophos UTM: Your Domain Controller is the Botnet.

The log:

2015:01:xx-xx:xx:10 SOPHOSUTM afcd[30448]: id=”2022″ severity=”warn” sys=”SecureNet” sub=”packetfilter” name=”Packet dropped (ATP)” srcip=”″ dstip=”” fwrule=”63001″ proto=”17″ threatname=”C2/Generic-A” status=”1″ host=”” url=”-” action=”drop”

The alert email:

Advanced Threat Protection
A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name….: C2/Generic-A
Time………..: 2015-01-xx xx:xx:15
Traffic blocked: yes
Internal source IP address or host: Your Domain Controller IP

You need to check who’s query DNS to Domain Controller with the malicious domain by enable DNS logging:

1. To get your Windows domain controller to log DNS lookups, follow the directions here:


  • Open DNS.
  • In the console tree, right-click the applicable DNS server, then click Properties.
  • Click the Debug Logging tab.
  • Select Log packets for debugging, and then select the events that you want the DNS server to record for debug logging.
  • Screenshot:


    Once you see data in C:\windows\system32\dns\dns.log you know that it’s working. The output like this:

    The client query is:



1 Trackback / Pingback

  1. ATP reports "C2/Generic-A" on local DC with DNS but scan results are good - Sophos User Bulletin Board

Leave a Reply