cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted
Network_M
Copper

Infected hosts - but prevented

Jump to solution

In Smartview, in General Overview, there is written "Infected hosts" and shows quantity.

Infected hosts means - infected pcs as far as I understand.

But, when analyzing infected hosts, all of infections were prevented by blades.

If they had been prevented, why it is written "Infected hosts"?

How can we understand it clearly?

Tags (1)
1 Solution

Accepted Solutions
Admin
Admin

Re: Infected hosts - but prevented

Jump to solution

Anti-Bot in particular is considered a "post infection" blade.

Which means a host is considered infected (or at least potentially so) if it triggers an Anti-Bot signature.

8 Replies
Admin
Admin

Re: Infected hosts - but prevented

Jump to solution

Anti-Bot in particular is considered a "post infection" blade.

Which means a host is considered infected (or at least potentially so) if it triggers an Anti-Bot signature.

Network_M
Copper

Re: Infected hosts - but prevented

Jump to solution

Then, firstly Bot infects host,

and after that Anti-Bot blade starts to work and prevents that, am I right?

First step infection, second prevention ?

0 Kudos
Admin
Admin

Re: Infected hosts - but prevented

Jump to solution

Check Point is not "infecting" a host.

What is being blocked by Anti-Bot is attempts by a host to communicate directly with known bot command and control sites and/or other malicious sites—sites users wouldn't generally visit on their own.

You should be able to click on the number of infected hosts in the SmartEvent dashboard to see exactly why in your specific case the host is tagged as being counted in this way.

Kim_Moberg
Silver

Re: Infected hosts - but prevented

Jump to solution

Also recommended to enable dns-trap if you use a local dns forward to an external dns server like google 8.8.8.8

Best Regards
Kim
0 Kudos
Network_M
Copper

Re: Infected hosts - but prevented

Jump to solution

If I enable DNS-Trap, will it mean that viruses and bots won't enter into my hosts via DNS requests ?

0 Kudos
Nüüül
Silver

Re: Infected hosts - but prevented

Jump to solution

Hi,

The fact, that checkpoint recognized the host as infected doesn´t mean, the infection came via the firewall. For example some kind of bad USB sticks. Or email attachements or what ever...

Anti Bot recognizes the communication to command and control servers and following to this states the host as infected.

Spreading might () be possible to be prevented i.e. by functioning IPS

DNS Trap does answer DNS request for known malicious domains with fake IPs. More informations:

Anti-Virus Malware DNS Trap feature 

Even though your firewall recognizes your host as infected, does NOT mean, that it will heal the host. There is still something bad going on on the client...

Regards,

Daniel

Re: Infected hosts - but prevented

Jump to solution

DNS-Trap has nothing to do with preventing infection via DNS.

DNS-Trap is responsible for returning fake IPs when the host requests for the IP address of a bot related site. This way the host will try to transmit whatever it wanted to transmit to the fake IP.

If the host is in fact infected the connection to the fake IP will probably be malicious and this will help you identify if this is in fact a bot and not a false positive.

0 Kudos

Re: Infected hosts - but prevented

Jump to solution

As Dameon Welch Abernathy already mentioned above, Anti-Bot shows you info about blocked malicious activity from your assets that are already compromised.

For example, if a machine is already infected with a bot-ware, it will try report to C&C and/or to download additional malware modules and tools. Such activity can be detected and blocked by Anti-Bot blade, hence a number of "infected hosts" in your logs.

To learn more about functionalities and abilities of Anti-Bot and other Threat Prevention blades, please refer to the documentation: Threat Prevention Pre-R80 Security Gateways with R80 Security Management 

0 Kudos