Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

SMB appliance shows Infected hosts with public IPs

This is happening for a while now on my home 600 appliance:

external IPs shown as "Infected Hosts"

View Host Logs does not yield anything and since these events happening about once a month, running traffic capture to get better visibility into it is not practical.

What is the reason for this indicator being present if there is no possibility of path-through traffic hitting my gateway from inside?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

It could very well be a false positive of some sort, or that IP address probing.

I did move this to the SMB and SMP‌ space.

0 Kudos
Vladimir
Champion
Champion

If this was a probing attempt, I'd expect to see some drops in the log, but there is nothing at all.

I was thinking that maybe cell phones on WiFi may ID with the IP received from the carrier, but the protection name points to Windows hosts.

0 Kudos
PhoneBoy
Admin
Admin

The fact you're not seeing that is somewhat troubling.

0 Kudos
Vladimir
Champion
Champion

I've re-flushed the new firmware yesterday and will keep an eye for further occurrences. Should I see it again, I may have to run continuous filtered mirroring from the switches on all interfaces to get the raw packets matching that source network.

0 Kudos
Tom_Hinoue
Advisor
Advisor

Hi.

The infected host is triggered with the Anti-Bot, which can be detected from LAN(inbound) to WAN (outgoing), and also vice versa.

If the public IP trying to communicate to your gateway external IP might have a malicious network activity pattern, or bad reputation (such as C&C), it will come up in the infected hosts list.

0 Kudos
Vladimir
Champion
Champion

There is no reason logging the external hosts as "Infected". Consider the scenario when your network is under attack from the botnet. In this case you may have thousands hosts listed as such. It is not the business of this device to police the Internet, but to provide you with correct information about your environment.

But regardless of how these two hosts ended-up listed as such, I would expect to see the corresponding log entries and there are none.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events