This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Saranya_0305
Collaborator
‎2025-06-17 11:09 PM

Clarification on DNS Reputation Logs

Dear Team,

I have obeserved in the Generaloverview tab of Smartview of The Management Server that there are Some critical attacks which werenot prevented by Policy.

When went through the logs most of them wre with

Protection name : "DNS Reputation"
Description: Connection was allowed because background classification mode was set. See sk74120 for more information
Action : Detect

When I go through the 74120, as per my understanding if there is no cache information about the resource, as the mode is set to Background and Checkpoint will continue its categorization and connection was allowed.

After the classification was found a detect log was generated.

I want to know was the connection is abnormal and any malicious data was received by endpoint user?

What is mean by Infected hosts in General overview? is the endpoints are infected?

How can I investigate further about these logs?

For reference I have attached the one of the log screenshot.

Preview file
104 KB
Preview file
49 KB
Preview file
167 KB
0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2025-06-18 03:13 PM

A DNS query should merely contain the desired FDQN and the IPs they resolve to.
The FDQN requested might leak a small amount of data but isolated instances of this don't necessarily indicate an issue (at least not without other indicators being present).

0 Kudos
Saranya_0305
Collaborator
‎2025-06-19 04:00 AM
In response to PhoneBoy

Dear Team,
 
Thank you for the Heads up!
 
As per my understanding, 
 
For the DNS Tunneling, first the endpoint should be compromised for DNS Tunneling.
 
Protection Type: DNS Trap , where the Checkpoint will give the Bogus IP and responds to the client as it is DNS server.
 
My query is here in this case,
 
1) The Protection Type: DNS Reputation, what does this protection type does?
 
2) Here is the endpoints is trying to access Malicious sites?
 
From the logs,
 
3) In the Forensics Details,
          Resource: info-update.org 
          Action Details: Bypass
Is the Resource is the site that the endpoint is try to access? If yes, as the action details mentioned  "bypass " is it succeeded to access the site?
 
4) Action: Detect, what does this Detect log means?
 
Form the logs, I observed some bytes of data has been transferred
    Sent Bytes:286.7M
    Received Bytes:652.2M 
 
As per my knowledge some data has been transferred when we query for any DNS query.
 
Is there any limitation for Sent and received data bytes, because I observe some of the other logs have Sent and Received Bytes is Gigabytes, is it abnormal?
 
Please assist me in this, if I am wrong in my understanding please guide me.

 

Regards,

Saranya

0 Kudos
Saranya_0305
Collaborator
‎2025-06-19 07:36 AM
In response to Saranya_0305

Dear Team,

Along with the previous queries,

I have observed that the Source IP in the logs are Firewalls Internal or External IP are replicating.

How the Firewall itself try to access the URL or Destination(Google DNS Server or Internal DNS Server ) ?

Source: Firewalls Internal or External Interface IPs

Destination: Google DNS or Internal DNS Server

My thought on this 

Based on the description "Connection was allowed because background classification mode was set. See sk74120 for more information"

The firewall has no information about the URL in its cache, it try to get the information from the Cloud, but here the destination is should be Checkpoint Cloud.

If it is not the case I have configured my TP Engine settings as Hold.

For reference I attached the screenshot of the TE profile and TE Engine Settings.

 

Please correct me if I am wrong.

 

Regards,

Saranya

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-23 09:59 AM
In response to Saranya_0305

DNS Reputation refers to domains that we've seen significant malicious activity from.
This is different from URL Filtering, which pulls from a different database than Threat Prevention.
However, that is also showing the site as malicious: 

image.png

A "Detect" means the traffic was ultimately allowed to pass because of your configuration.
Given the amount of data transferred, it seems likely this system has been compromised somehow.

If it were me, if you haven't already done so, I'd be activating my organization's incident response plan.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events