[ES] Multiple terminals detected accessing malicious domain through SIP, but ES cannot kill it.
Problem Description
Multiple terminals are accessing malicious domains through SIP, but ES cannot detect and kill them.
Alarm Information
Effective Troubleshooting Steps
- Confirm that the domain is a malicious domain, BTC mining.
- Check the computer's Windows domain and find that the Windows domain name matches the malicious domain name.
Solution
Change the Windows domain name or whitelist this event on SIP.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=16&type=1&category_id=2690&isOpen=true