Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Useless logs in SMB appliances

Can someone explain what actionable information is available in this log entry:

image.png

Except an acknowledgement that the gateway recognized malicious binary but was not able to prevent its download?

There is no way I can see that allow us to identify the binary from the information displayed.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

It doesn't list a URL, site, or anything? What do other logs around that time for that host say?
0 Kudos
Vladimir
Champion
Champion

@PhoneBoy , If you look closely at the log shown, you'll see that it only shows date, not time of the incident. We have only option to "View Host Logs" from the "Infected Hosts" section.

This opens up logs filtered by the host's IP with the current date and time.

The SMB appliances log query does not permit multiple filters, but only one:

image.png

 

So we have to either scroll back to the date and look at ALL THE LOGS for that host or filter by the host and look for ALL THE LOGS for that date.

What do you think the likelihood of finding what we are looking for?

0 Kudos
PhoneBoy
Admin
Admin

Can you find the relevant log entries via the Protection Name (which should be unique enough)?
Vladimir
Champion
Champion

Found it using the method you suggested.

Few notes though:

1. Would be nice if the "Open Host Logs" from TP would go to the event, not to current logs.

2. Actual event log indicated that the download was prevented, while TP notice indicates "Possible Infected Host."

3. There is no export or copy option for the events for reporting to the offending party.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events