Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

Useless logs in SMB appliances

Can someone explain what actionable information is available in this log entry:

image.png

Except an acknowledgement that the gateway recognized malicious binary but was not able to prevent its download?

There is no way I can see that allow us to identify the binary from the information displayed.

0 Kudos
4 Replies
Highlighted
Admin
Admin

It doesn't list a URL, site, or anything? What do other logs around that time for that host say?
0 Kudos
Highlighted
Pearl

@PhoneBoy , If you look closely at the log shown, you'll see that it only shows date, not time of the incident. We have only option to "View Host Logs" from the "Infected Hosts" section.

This opens up logs filtered by the host's IP with the current date and time.

The SMB appliances log query does not permit multiple filters, but only one:

image.png

 

So we have to either scroll back to the date and look at ALL THE LOGS for that host or filter by the host and look for ALL THE LOGS for that date.

What do you think the likelihood of finding what we are looking for?

0 Kudos
Highlighted
Admin
Admin

Can you find the relevant log entries via the Protection Name (which should be unique enough)?
Highlighted
Pearl

Found it using the method you suggested.

Few notes though:

1. Would be nice if the "Open Host Logs" from TP would go to the event, not to current logs.

2. Actual event log indicated that the download was prevented, while TP notice indicates "Possible Infected Host."

3. There is no export or copy option for the events for reporting to the offending party.

0 Kudos