cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Vladimir
Pearl

SMB appliance shows Infected hosts with public IPs

This is happening for a while now on my home 600 appliance:

external IPs shown as "Infected Hosts"

View Host Logs does not yield anything and since these events happening about once a month, running traffic capture to get better visibility into it is not practical.

What is the reason for this indicator being present if there is no possibility of path-through traffic hitting my gateway from inside?

Tags (1)
0 Kudos
6 Replies
Admin
Admin

Re: SMB appliance shows Infected hosts with public IPs

It could very well be a false positive of some sort, or that IP address probing.

I did move this to the SMB and SMP‌ space.

0 Kudos
Vladimir
Pearl

Re: SMB appliance shows Infected hosts with public IPs

If this was a probing attempt, I'd expect to see some drops in the log, but there is nothing at all.

I was thinking that maybe cell phones on WiFi may ID with the IP received from the carrier, but the protection name points to Windows hosts.

0 Kudos
Admin
Admin

Re: SMB appliance shows Infected hosts with public IPs

The fact you're not seeing that is somewhat troubling.

0 Kudos
Vladimir
Pearl

Re: SMB appliance shows Infected hosts with public IPs

I've re-flushed the new firmware yesterday and will keep an eye for further occurrences. Should I see it again, I may have to run continuous filtered mirroring from the switches on all interfaces to get the raw packets matching that source network.

0 Kudos

Re: SMB appliance shows Infected hosts with public IPs

Hi.

The infected host is triggered with the Anti-Bot, which can be detected from LAN(inbound) to WAN (outgoing), and also vice versa.

If the public IP trying to communicate to your gateway external IP might have a malicious network activity pattern, or bad reputation (such as C&C), it will come up in the infected hosts list.

0 Kudos
Vladimir
Pearl

Re: SMB appliance shows Infected hosts with public IPs

There is no reason logging the external hosts as "Infected". Consider the scenario when your network is under attack from the botnet. In this case you may have thousands hosts listed as such. It is not the business of this device to police the Internet, but to provide you with correct information about your environment.

But regardless of how these two hosts ended-up listed as such, I would expect to see the corresponding log entries and there are none.

0 Kudos