Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Found bot activity

My CheckPoint Firewall 730 Appliance keeps warning me about a so called infected device, always with the message "Infected device detected: .... is infected with a malware of high severity. Findings: found bot activity". This happens multiple times per day and I can't identify the problem. I have scanned the device multiple times and found nothing.

This actually happens on several devices.

Is this a false positive?

If not, how can I identify the source of the problem?

Untitled.jpg

0 Kudos
11 Replies
Highlighted
Admin
Admin

You'll notice it's confidence of Low.
My guess is you may have visited a site that may have included something from that site.
Highlighted

I could see that being the case for some of the workstations, but the computer with the most frequent events is a domain server, and there is no internet surfing on it.
From my understanding (I could be wrong), this particular "malware" is related to Command & Control activities, and I frequently use Remote Desktop Connection for the server, and TeamViewer and/or AnyDesk on the workstations on the Active Directory computers.
Could this be a false positive related to that?
0 Kudos
Highlighted

Unfortunately it is common for an internal DNS server to get tagged by Anti-bot like this, since an internal workstation with a problem sends a suspicious request to your internal DNS server for DNS service (and this traffic does not normally pass through the firewall), then the DNS server looks up the suspicious site on behalf of the internal workstation and Anti-bot sees that traffic and flags it.  One way to deal with this is to enable logging of all DNS requests on the DNS server itself, to help find which internal host is initiating the suspicious lookups.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted
Nickel

As always, you have value experience that you share it, just let me add a comment: as said Antimatt3r, most frequent events has been on DNS server, but it is not unique host, there are other workstations that trigger alerts on FW, maybe such host has other DNS, maybe it's other protection or other blade that logged those alerts, I don't know. So it's worth analyze such workstations
Highlighted

Forgot to mention that you can enable the "DNS trap" feature to help identify infected hosts that are having their DNS lookups handled by an internal DNS server.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted

Thank you for the suggestions.

I enabled logging on the DNS server, and identified devices that initiate said problem. However as far as I can tell, they are not actually infected, I've scanned them multiple times.

So it might just be regular internet browsing, and the "infected" warning is just about various ads, and spam sites that launch when you visit certain sites? In other words it's just a false positive, or a warning that appears, even though the threat itself is already blocked?

About "DNS trap" feature, I'm not actually sure how to enable it from the web interface. I actually think it's already enabled, because I think I saw it listed on "protection name" on certain events, although I'm not entirely sure. 

Where exactly is this setting?

0 Kudos
Highlighted

Hmm looks like DNS Trap may not be supported on embedded Gaia when it is locally managed, but I can't find any documentation confirming that one way or the other.  @PhoneBoy?

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

It is supported and enabled by default, but it is only triggered for Medium or High confidence level, according to default profiles.

0 Kudos
Highlighted

I had the same problem at a client.  DHCP logs on the Windows DCs helped a bit, but did not point to the culprit.

The (Home, System) notifications section showed the events, and the Watchtower notified me, so I connected to the device and in (Logs and Monitoring) Security Logs, I entered Service:DNS.  I scrolled to the approximate time and found a username associated with the event.

Once the user's Dell BIOS and Intel Management  firmware were updated, the errors stopped.

 In this client's case the logs seem to only go back about 8-10 hours, so I did not have the ability to go back further to aid in the search.

0 Kudos
Highlighted

Not sure why it would be linked to BIOS firmware or Intel Management Engine, but anyway since I have a 50+ workstations, this problem is starting to piss me off...

Using DNS logging I have identified the so called culprits (which keep changing, a few devices today, other ones tomorrow, some of them keep repeating etc.) and thoroughly scanned the clients on multiple occasions with no results.

It even detects IPs that belong to mobile phones and even network printers.

Like I previously said, the firewall either flags normal internet browsing, when detecting certain ads and such (some of them probably legitimately malicious, even though blocked), or it detects the activity of remote desktop software such as TeamViewer and AnyDesk, which are frequent on my network and are initiated by me. I also use RDP to connect to the Server itself.

Could be the latter since the description of the "malware" is specifically about C&C, I really don't know what to make of it...

0 Kudos
Highlighted

I spoke too quickly yesterday, another instance occurred, but I cannot determine the source device.

I have not been able to reproduce this issue on demand, have you been able to reproduce on demand?

0 Kudos