Hi,
Based on your description on both posts you have two different issues. The first one from the scanners that you can block from your IPS as described above.
For the second (large number of dns requests from your internal network to C&C) you can configure the DNS trap with Bogus IP. Additionally you should block DNS requests from your internal devices to the internet and you should define only specific Internal DNS servers.
Checkpoint is doing a great job on DNS and IP reputation and it's adding more to the Threat Prevention Blade.
The activation of DNS trap with the Bogus IP is just for you to locate the actual device that is attempting to connect to the C&C sites. To clarify let's looks at what is happening during a connection from your internal network.
a) A device from your network is attempting to access the xyz.com.
b) Since the IP address is unknown to the device and needs to resolve it, it requests a DNS resolution to it's DNS server.
c) The Internal DNS server since it is unknown domain it forwards the request to it's DNs forwarder.
d) CheckPoint through Threat Prevention detects this DNS request and classifies it as malicious.
e) Your Internal DNS request receives the Bogus IP from your Checkpoint as a reply instead of the real IP of the malicious domain.
f) You Internal DNS server sends this DNS record with the Bogus IP to your internal device.
g) Your internal device attempts to use this IP to connect to the C&C site.
Based on the above, you block access from your client to a malicious site (C&C) and then you know which device is "Infected" and trying to access a malicious site before it event makes a connection.
With Smart Log you can search as destination the Bogus IP and locate the device that is trying to connect.
With Smart Event you will have full visibility of what is happening to your network.
Thanks,
Charris Lappas