Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antimatt3r
Participant

Found bot activity

My CheckPoint Firewall 730 Appliance keeps warning me about a so called infected device, always with the message "Infected device detected: .... is infected with a malware of high severity. Findings: found bot activity". This happens multiple times per day and I can't identify the problem. I have scanned the device multiple times and found nothing.

This actually happens on several devices.

Is this a false positive?

If not, how can I identify the source of the problem?

Untitled.jpg

0 Kudos
15 Replies
PhoneBoy
Admin
Admin

You'll notice it's confidence of Low.
My guess is you may have visited a site that may have included something from that site.
Antimatt3r
Participant

I could see that being the case for some of the workstations, but the computer with the most frequent events is a domain server, and there is no internet surfing on it.
From my understanding (I could be wrong), this particular "malware" is related to Command & Control activities, and I frequently use Remote Desktop Connection for the server, and TeamViewer and/or AnyDesk on the workstations on the Active Directory computers.
Could this be a false positive related to that?
0 Kudos
Timothy_Hall
Champion
Champion

Unfortunately it is common for an internal DNS server to get tagged by Anti-bot like this, since an internal workstation with a problem sends a suspicious request to your internal DNS server for DNS service (and this traffic does not normally pass through the firewall), then the DNS server looks up the suspicious site on behalf of the internal workstation and Anti-bot sees that traffic and flags it.  One way to deal with this is to enable logging of all DNS requests on the DNS server itself, to help find which internal host is initiating the suspicious lookups.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
LuisSP
Collaborator

As always, you have value experience that you share it, just let me add a comment: as said Antimatt3r, most frequent events has been on DNS server, but it is not unique host, there are other workstations that trigger alerts on FW, maybe such host has other DNS, maybe it's other protection or other blade that logged those alerts, I don't know. So it's worth analyze such workstations
Timothy_Hall
Champion
Champion

Forgot to mention that you can enable the "DNS trap" feature to help identify infected hosts that are having their DNS lookups handled by an internal DNS server.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Antimatt3r
Participant

Thank you for the suggestions.

I enabled logging on the DNS server, and identified devices that initiate said problem. However as far as I can tell, they are not actually infected, I've scanned them multiple times.

So it might just be regular internet browsing, and the "infected" warning is just about various ads, and spam sites that launch when you visit certain sites? In other words it's just a false positive, or a warning that appears, even though the threat itself is already blocked?

About "DNS trap" feature, I'm not actually sure how to enable it from the web interface. I actually think it's already enabled, because I think I saw it listed on "protection name" on certain events, although I'm not entirely sure. 

Where exactly is this setting?

0 Kudos
Timothy_Hall
Champion
Champion

Hmm looks like DNS Trap may not be supported on embedded Gaia when it is locally managed, but I can't find any documentation confirming that one way or the other.  @PhoneBoy?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Pedro_Espindola
Advisor

It is supported and enabled by default, but it is only triggered for Medium or High confidence level, according to default profiles.

0 Kudos
Dick_Summers
Contributor

I had the same problem at a client.  DHCP logs on the Windows DCs helped a bit, but did not point to the culprit.

The (Home, System) notifications section showed the events, and the Watchtower notified me, so I connected to the device and in (Logs and Monitoring) Security Logs, I entered Service:DNS.  I scrolled to the approximate time and found a username associated with the event.

Once the user's Dell BIOS and Intel Management  firmware were updated, the errors stopped.

 In this client's case the logs seem to only go back about 8-10 hours, so I did not have the ability to go back further to aid in the search.

0 Kudos
Antimatt3r
Participant

Not sure why it would be linked to BIOS firmware or Intel Management Engine, but anyway since I have a 50+ workstations, this problem is starting to piss me off...

Using DNS logging I have identified the so called culprits (which keep changing, a few devices today, other ones tomorrow, some of them keep repeating etc.) and thoroughly scanned the clients on multiple occasions with no results.

It even detects IPs that belong to mobile phones and even network printers.

Like I previously said, the firewall either flags normal internet browsing, when detecting certain ads and such (some of them probably legitimately malicious, even though blocked), or it detects the activity of remote desktop software such as TeamViewer and AnyDesk, which are frequent on my network and are initiated by me. I also use RDP to connect to the Server itself.

Could be the latter since the description of the "malware" is specifically about C&C, I really don't know what to make of it...

0 Kudos
Dick_Summers
Contributor

I spoke too quickly yesterday, another instance occurred, but I cannot determine the source device.

I have not been able to reproduce this issue on demand, have you been able to reproduce on demand?

0 Kudos
Antimatt3r
Participant

Any updates on this problem? I am still bombarded with "found bot activity" events even more so than before...

0 Kudos
PhoneBoy
Admin
Admin

Best bet is to get the TAC involved so we can understand what's going on in more detail.

0 Kudos
Dick_Summers
Contributor

I found a PC on the network that had no AV installed other than Windows Defender.  The client uses Symantec, I installed the Symantec Endpoint Protection client, no issues for last 5 days.

0 Kudos
Antimatt3r
Participant

In my case I have Kaspersky Endpoint Security on all the stations, but it doesn't seem to make a difference, those pesky events are just as frequent as ever.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events