topic Re: Useless logs in SMB appliances in Spark Firewall (SMB)

Useless logs in SMB appliances

Vladimir — Tue, 26 Mar 2019 00:14:41 GMT

Can someone explain what actionable information is available in this log entry:

Except an acknowledgement that the gateway recognized malicious binary but was not able to prevent its download?

There is no way I can see that allow us to identify the binary from the information displayed.

Re: Useless logs in SMB appliances

PhoneBoy — Tue, 26 Mar 2019 01:54:56 GMT

It doesn't list a URL, site, or anything? What do other logs around that time for that host say?

Re: Useless logs in SMB appliances

Vladimir — Tue, 26 Mar 2019 13:00:13 GMT

@PhoneBoy , If you look closely at the log shown, you'll see that it only shows date, not time of the incident. We have only option to "View Host Logs" from the "Infected Hosts" section.

This opens up logs filtered by the host's IP with the current date and time.

The SMB appliances log query does not permit multiple filters, but only one:

So we have to either scroll back to the date and look at ALL THE LOGS for that host or filter by the host and look for ALL THE LOGS for that date.

What do you think the likelihood of finding what we are looking for?

Re: Useless logs in SMB appliances

PhoneBoy — Tue, 26 Mar 2019 21:39:05 GMT

Can you find the relevant log entries via the Protection Name (which should be unique enough)?

Re: Useless logs in SMB appliances

Vladimir — Tue, 26 Mar 2019 23:47:02 GMT

Found it using the method you suggested.

Few notes though:

1. Would be nice if the "Open Host Logs" from TP would go to the event, not to current logs.

2. Actual event log indicated that the download was prevented, while TP notice indicates "Possible Infected Host."

3. There is no export or copy option for the events for reporting to the offending party.