This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LuisSP
Collaborator
‎2020-05-09 07:35 PM

False positive with IPS and AntiBot? Confidence=HIGH, Medium

Appliance 1490, r77.20.87 Build 990172966
Blades: FW, AppCtrl, URLF, ABOT, AV, IPS, RAccs and SSL Inspect
Locally Managed

1. Yesterday (2020-may-07) I did receive a notification in WachTower from FW about a BOT event.
2. Internal host suppostly infected was hostA
3. External threat host was 13.107.136.9
4. Reviewing logs I found communications attempts since May 7, logged by IPS blade
5. Hours later, there is a log by AppCtrl allow and identifying app Sharepoint-online on ip 13.107.136.9, that's correct.
6. Then… was a log by Https Inspect with a Revoked Certificate or invalid CRL in connection to sharepoint.com (13.107.136.9).
7. Again others logs by IPS equal to point 4.
8. Yesterday (may-08) there is a log by AppCtrl allowing eBay app with traffic to ip 13.107.136.9!!!! What? Resource on such log can be readed as https://hostXYZ.sharepoint.com/...... What was this confusion about? Or what am I misinterpreting? (Doubt )
9. After, there are logs by IPS and AppCtrl with same data.
10. Suddenly appear a log by ABot with same resource of point 8 but identifying a client type MicrosoftSkydriveSync.
11. Since then, there are logs by FW blade. The strange thing about these logs is that despite the fact that the traffic originated from the internal host to the external one, it is the incoming rules that are generating it. (Doubt)


Why was the appliance confused in properly diagnosing the correct application (OneDrive, no eBay) and why did it take so long to do so? Is it a common latency?

Why a incoming rule do such logs (point 11) with connection traffic originated from internal host (outgoing traffic)?

Why IPS alerted with a confidence level HIGH detecting GBU BASH threat with HostA, but HostA is a Windows host?

I know, there are so much doubts, words and lack of knowledge, I am reading guides but please, help me with this  issue.

 

I'm thinking about a false positive... but I don't be sure. 

Thanks.

001-ips001-ips002-AppC002-AppC003003004-004-005-AppC-eBay????005-AppC-eBay????007-AppC-eBay again007-AppC-eBay again008-ABot008-ABot009-outgoing traffice loggued by incoming rules?009-outgoing traffice loggued by incoming rules?010-AppC bye eBay, now OneDrive010-AppC bye eBay, now OneDriveNotification of infectionNotification of infection

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2020-05-10 08:01 AM

False positives do happen from time to time.
Best to engage the TAC here so we can understand (and fix).
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events