Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Blocking C&C communication

Jump to solution

Hello All,

My logs is showing Qbot on my network and some compromised hosts within the network are attempting to connect to a malicious site and operate as a C&C (command and control) server.

What Antibot/ threat prevention policy can I implement to prevent these connection to mitigate any risk.

Attached is snapshot of description.

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Pearl

Re: Blocking C&C communication

Jump to solution

Change corresponding Threat Prevention actions from "Detect" to "Protect", by choosing "Recommended" profile, or by replicating it and adjusting it manually.:

Threat Prevention action profiles

Clean-up all the hosts being logged as compromised ASAP.

Your best bet is to take all the infected machines offline and to perform clean re-install from bootable media.

And then start working on lateral threat propagation detection and remediation.

View solution in original post

0 Kudos
3 Replies
Highlighted
Pearl

Re: Blocking C&C communication

Jump to solution

Change corresponding Threat Prevention actions from "Detect" to "Protect", by choosing "Recommended" profile, or by replicating it and adjusting it manually.:

Threat Prevention action profiles

Clean-up all the hosts being logged as compromised ASAP.

Your best bet is to take all the infected machines offline and to perform clean re-install from bootable media.

And then start working on lateral threat propagation detection and remediation.

View solution in original post

0 Kudos
Highlighted

Re: Blocking C&C communication

Jump to solution

Thanks Vladimir,

Your first recommendation is already implemented before my posting.

I guess I will have to find the infested systems and perform a clean re-install.

0 Kudos
Highlighted

Re: Blocking C&C communication

Jump to solution

Look closer at your log entry and the information, why it is only detected, is directly included!

In the field "Description" is the following information:

DNS response was replaced with a DNS trap bogus IP

Also there is sk74060 mentioned, where everything is explained regarding the DNS trap feature.

Also keep in mind that by default DNS traffic is always handled in background mode (since R75.47 / R76) as a hold might cause DNS timeouts. So there might be also DNS detects because classification is not completed yet.

This behavior is documented in sk92224