Re: ESA Conecting to Phishing and Malware Domains

cmoralesh83 · ‎02-02-2018

Hi,

I have a very odd problem, since I established a DNS policy in my FMC to prevent malicious DNS responses, I detected that my ESA is making querys to a malicious site. Those are being block by the ASA, but still...... why the ESA is making those malicious connections. May someone explain this scenario?

I'm Uploading the SI analisys and the IoC marked on the ESA.

I'll appriciate some feed back.

Thanks

Marvin Rhoads · ‎02-03-2018

Is your ESA in the path for outbound email?

cmoralesh83 · ‎02-03-2018

Not at all, we only have the inbound license and our mail server is handeling the outgoing mail.

Marvin Rhoads · ‎02-03-2018

That's really odd. According to the Admin Guide section on necessary communications paths:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_appendix_0101110.html

...none of that should be happening. I would try looking at a capture of some of the packets and verifying they are coming from the ESA and not from something else spoofing/ duplicating its IP address. If it is indeed coming from the ESA then I would open a TAC case straight away.