https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145083#M22654 <P>Were these log references for port 1027 in the "source port" field?&nbsp; If so you have have nothing to worry about, the ICKiller trojan used a fixed port of 1027 in the distant past.&nbsp; What happened is TCP on the initiating system chose source port 1027 from the ephemeral range of 1024-65535 for a new TCP connection, and it happened to match the included service object ICKiller.&nbsp; What you are seeing in the log is a simple mapping from a port number to a name, not an indicator of compromise.</P> Wed, 30 Mar 2022 16:45:05 GMT Timothy_Hall 2022-03-30T16:45:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145041#M22647 <P>We use multiple checkpoint gateways ... we have times where we try to decode the logging entries.</P><P>We had recent log entries, which stated that a server has used network communication on port 1027(ICKiller).</P><P>A Windows Trojan!! <A href="https://threatwiki.checkpoint.com/threatwiki/public.htm" target="_blank" rel="noopener">https://threatwiki.checkpoint.com/threatwiki/public.htm</A></P><P>Now the research on the Server using an Antivirus - tool could not find any suspected infection.</P><P>According to checkpoint are the security gateways detects suspicious communication based on signature inside the packet. Is that the case even when Antivirus Blade is not active? Is the default Intrusion Detection System able accurately to identify threats</P><P>&nbsp;</P> Wed, 30 Mar 2022 10:57:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145041#M22647 Sajenthiran_Mic 2022-03-30T10:57:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145050#M22649 <P>I had seen this before, so my educated guess is that those threats are detected properly even when AV is not on, but I will let someone from CP give you an official statement / answer.</P> Wed, 30 Mar 2022 11:53:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145050#M22649 the_rock 2022-03-30T11:53:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145083#M22654 <P>Were these log references for port 1027 in the "source port" field?&nbsp; If so you have have nothing to worry about, the ICKiller trojan used a fixed port of 1027 in the distant past.&nbsp; What happened is TCP on the initiating system chose source port 1027 from the ephemeral range of 1024-65535 for a new TCP connection, and it happened to match the included service object ICKiller.&nbsp; What you are seeing in the log is a simple mapping from a port number to a name, not an indicator of compromise.</P> Wed, 30 Mar 2022 16:45:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145083#M22654 Timothy_Hall 2022-03-30T16:45:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145143#M22741 <P>How do we destingushe between a simple source port mapping instant and a real issue? based on the Firewall logs?</P><P>&nbsp;</P> Thu, 31 Mar 2022 13:39:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145143#M22741 Sajenthiran_Mic 2022-03-31T13:39:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145149#M22744 <P>What about the log entry led you to believe there was a problem?</P> <P>Just the name in the Service field? If so, find the service object and disable "Match for Any", or delete the object. You could also disable name resolution before using the logs.</P> Thu, 31 Mar 2022 14:06:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145149#M22744 Bob_Zimmerman 2022-03-31T14:06:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145150#M22745 <P>Not much you can ascertain based on that simple firewall log.<BR />Threat Prevention logs may be more actionable.</P> Thu, 31 Mar 2022 14:10:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-and-Management-logs/m-p/145150#M22745 PhoneBoy 2022-03-31T14:10:47Z