cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3452
Views
0
Helpful
1
Replies
enidvallja
Beginner

MALWARE-CNC Win.Trojan.Zeus variant outbound connection

Hello,

I've seen this alert a couple of weeks ago: "MALWARE-CNC Win.Trojan.Zeus variant outbound connection".

I did a full scan manually on the PC that the alert was pointing and it found nothing.

How can I check if it is a false positive or a true malware? And how can I see what is causing this? 

Thank you.

Enid.

1 REPLY 1
Dinesh Verma
Cisco Employee

Hi Enid,

For this intrusion alert there are almost 23-25  SIDs. Can you go to intrusion events and take a note of SID? Also, you can download that packet from intrusion event page, open it up in wireshark & take a look to content if that matched with SID.

It's not that something exist on your PC locally. Clients are reaching out to internet and the pattern in the packet matches with SID, that's why you see those alerts. 

Maybe you can open up a TAC case and provide us the download packet and we can verify it for you. If that's something false positive, we would let you know. 

Attached screenshot for SID ref.

Regards,

Dv

Content for Community-Ad