https://community.checkpoint.com/t5/Spark-Firewall-SMB/Security-Logs/m-p/129456#M5755 <P>Hello, I have recently had some doubts about some security logs in a 790 firewall, such as the following three examples:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_21-58-42.jpg" style="width: 857px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13713iBB68846C98781AEE/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_21-58-42.jpg" alt="checkpoint_790_2021-09-14_21-58-42.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_21-59-05.jpg" style="width: 854px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13712iF0B34C995FB11173/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_21-59-05.jpg" alt="checkpoint_790_2021-09-14_21-59-05.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_22-04-13.jpg" style="width: 849px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13714i3A358A254A47EA7F/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_22-04-13.jpg" alt="checkpoint_790_2021-09-14_22-04-13.jpg" /></span></P><P>Both the source and the destination are servers on the same network segment, for example 180.80.0.0/24. The three events shown are sourced by the same server (180.80.0.10) but at two destinations (180.80.0.13, 180.80.0.14). This leads me to think that the 180.80.0.10 server has malware, but it has the Harmony Endpoint installed, I have verified and everything seems to be fine.</P><P>But the alerts keep coming constantly, what can I do in this case?</P><P>While on the other console of the 790, it tells me that it is infected.</P><P>_<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_22-23-26.jpg" style="width: 445px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13715i2A8E7181FD5AFC83/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_22-23-26.jpg" alt="checkpoint_790_2021-09-14_22-23-26.jpg" /></span></P> Wed, 15 Sep 2021 03:25:12 GMT gazette 2021-09-15T03:25:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Security-Logs/m-p/129456#M5755 <P>Hello, I have recently had some doubts about some security logs in a 790 firewall, such as the following three examples:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_21-58-42.jpg" style="width: 857px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13713iBB68846C98781AEE/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_21-58-42.jpg" alt="checkpoint_790_2021-09-14_21-58-42.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_21-59-05.jpg" style="width: 854px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13712iF0B34C995FB11173/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_21-59-05.jpg" alt="checkpoint_790_2021-09-14_21-59-05.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_22-04-13.jpg" style="width: 849px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13714i3A358A254A47EA7F/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_22-04-13.jpg" alt="checkpoint_790_2021-09-14_22-04-13.jpg" /></span></P><P>Both the source and the destination are servers on the same network segment, for example 180.80.0.0/24. The three events shown are sourced by the same server (180.80.0.10) but at two destinations (180.80.0.13, 180.80.0.14). This leads me to think that the 180.80.0.10 server has malware, but it has the Harmony Endpoint installed, I have verified and everything seems to be fine.</P><P>But the alerts keep coming constantly, what can I do in this case?</P><P>While on the other console of the 790, it tells me that it is infected.</P><P>_<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="checkpoint_790_2021-09-14_22-23-26.jpg" style="width: 445px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/13715i2A8E7181FD5AFC83/image-size/large?v=v2&amp;px=999" role="button" title="checkpoint_790_2021-09-14_22-23-26.jpg" alt="checkpoint_790_2021-09-14_22-23-26.jpg" /></span></P> Wed, 15 Sep 2021 03:25:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Security-Logs/m-p/129456#M5755 gazette 2021-09-15T03:25:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Security-Logs/m-p/129460#M5756 <P>Could very well be false positives.<BR />Packet captures and a TAC case are definitely in order.</P> Wed, 15 Sep 2021 05:29:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Security-Logs/m-p/129460#M5756 PhoneBoy 2021-09-15T05:29:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Security-Logs/m-p/129471#M5758 <P>I would assume a false positive as the traffic is local, not to a C&amp;C server...</P> Wed, 15 Sep 2021 08:21:21 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Security-Logs/m-p/129471#M5758 G_W_Albrecht 2021-09-15T08:21:21Z