This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriniKrish
Collaborator
‎2022-03-14 08:21 PM
Jump to solution

Found Bot activity

Hi Guys,

 

I found the attached notification in the quantum spark device(1530) for botnet activity.

Looking at the notification, it seems to be flagging a connection from command and control site but the source 8.8.8.8  which belongs to Google. if thats the case CP shud be aware that it belongs to google and shudn't have flagged in the first place .

Am I missing anything here?

appreciate your thoughts on this.

 

Cheers

Srini

Preview file
40 KB
0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2022-03-15 01:02 AM
Jump to solution

Looks like you visited a site that tried to connect to a bad malware IP. If on the client suddenly a page jumped by itself to an unknown porn or similar site, after closing the page, you will be shown this message. If you can refer to such an occurrence, there is no malware infection - also, after clicking "I fixed it", the message should not reoccur...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

4 Replies
TP_Master
Employee
Employee
‎2022-03-15 12:45 AM
Jump to solution

Hi Srini

 

Just to be clear, the log doesn't say the attack is from 8.8.8.8 (legitimate Google DNS server) but rather that the response to the DNS query regarding a malicious domain was returned from that IP.

 

Usually in the logs we see also the domain that caused the trigger. What other data exists on the log card?

G_W_Albrecht
Legend Legend
Legend
‎2022-03-15 01:02 AM
Jump to solution

Looks like you visited a site that tried to connect to a bad malware IP. If on the client suddenly a page jumped by itself to an unknown porn or similar site, after closing the page, you will be shown this message. If you can refer to such an occurrence, there is no malware infection - also, after clicking "I fixed it", the message should not reoccur...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
SriniKrish
Collaborator
‎2022-03-16 04:49 PM
In response to G_W_Albrecht
Jump to solution

Hi Guys,

 

Thank you so much for the response,

Looking into the detailed security logs did reveal what Albrecht had highlighted. Looks like there was some connection towards Porn site without the users knowledge. Infact I did find a lot of anti-bot and anti-virus alerts on his machine. On my way to installing Harmony Enpoint to scan his host in the first place and then probably will tune the confidence level of Anti bot so it blocks instead of just detect.

 

One thing could have been better is a drill down option to the security log in the notification. notification only shows an overview and youhave to manually filter the security logs. wish there was link to the actual logs and I could have avoided this post.

 

Questions is there an internal portal where I can cross check and learn the protections like the one higlighted here. " Generic.TC.aesn"

 

Cheers

Preview file
90 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-03-17 01:15 AM
In response to SriniKrish
Jump to solution

The Alert you show in your first post tells us that the connection was blocked ! You should have configured all ABot settings to prevent and not use any detect in IPS.

Usually, clients surf porn sites and these connect to other pages that contact the C&C for malware - so you should better have URLF set to Block inappropriate content.

https://threatwiki.checkpoint.com/threatwiki/public.htm

https://www.checkpoint.com/advisories/

https://research.checkpoint.com/

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events