cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Jeff_Gao
Nickel

Discussion SMB scan problem

Dear all

I want to discussion a smb scan problem with you.

I found a lot of scanning attacks by checkpoint fw,but all  scanning just be  identified firewall session,and not be identified by TP module,this is why?

smb scan.png

I found that all vender firewall can not identify this kind of smb scan.

thanks!

0 Kudos
6 Replies

Re: Discussion SMB scan problem

Why not ask this in SMB Appliances and SMP ? Please check your screenshot, as i do not understand what you mean! I just can see internal user 10.110.33.178 connecting by TCP/445 to various internet IPs. The Rulebase Accepts the connections with Outgoing Rule 9. Nothing wrong here...

0 Kudos
Highlighted
Jeff_Gao
Nickel

Re: Discussion SMB scan problem

I confirm that 10.110.33.178 is effected by virus and this ip scanning 445 port.So I want to know why ngfw can not identify this kind of behavior as a threat
0 Kudos

Re: Discussion SMB scan problem

I think the first question would need to be: Why is 445 open towards the internet? NGFW is only adding Application Control and IPS. There is no correlation in either blades, blades like Anti-Virus and Anti-Bot would be more suited to block this kind of attack.
Regards, Maarten
0 Kudos
Admin
Admin

Re: Discussion SMB scan problem

Without knowing the nature of the scanning, I can't say whether or not we would detect this.
If you haven't already cleaned the system, take some packet captures from the infected system and open a TAC case.

In general, I'm with everyone else on this thread: there's no reason SMB should be open outbound to the Internet.
0 Kudos
Employee
Employee

Re: Discussion SMB scan problem

Re: Discussion SMB scan problem

If you think this is a virus communication which is not recognized, open a Check Point TAC ticket.

Tags (1)