Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SriniKrish
Contributor

Found Bot activity

Jump to solution

Hi Guys,

 

I found the attached notification in the quantum spark device(1530) for botnet activity.

Looking at the notification, it seems to be flagging a connection from command and control site but the source 8.8.8.8  which belongs to Google. if thats the case CP shud be aware that it belongs to google and shudn't have flagged in the first place .

Am I missing anything here?

appreciate your thoughts on this.

 

Cheers

Srini

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

Looks like you visited a site that tried to connect to a bad malware IP. If on the client suddenly a page jumped by itself to an unknown porn or similar site, after closing the page, you will be shown this message. If you can refer to such an occurrence, there is no malware infection - also, after clicking "I fixed it", the message should not reoccur...

CCSE CCTE SMB Specialist

View solution in original post

4 Replies
TP_Master
Employee
Employee

Hi Srini

 

Just to be clear, the log doesn't say the attack is from 8.8.8.8 (legitimate Google DNS server) but rather that the response to the DNS query regarding a malicious domain was returned from that IP.

 

Usually in the logs we see also the domain that caused the trigger. What other data exists on the log card?

G_W_Albrecht
Legend
Legend

Looks like you visited a site that tried to connect to a bad malware IP. If on the client suddenly a page jumped by itself to an unknown porn or similar site, after closing the page, you will be shown this message. If you can refer to such an occurrence, there is no malware infection - also, after clicking "I fixed it", the message should not reoccur...

CCSE CCTE SMB Specialist
SriniKrish
Contributor

Hi Guys,

 

Thank you so much for the response,

Looking into the detailed security logs did reveal what Albrecht had highlighted. Looks like there was some connection towards Porn site without the users knowledge. Infact I did find a lot of anti-bot and anti-virus alerts on his machine. On my way to installing Harmony Enpoint to scan his host in the first place and then probably will tune the confidence level of Anti bot so it blocks instead of just detect.

 

One thing could have been better is a drill down option to the security log in the notification. notification only shows an overview and youhave to manually filter the security logs. wish there was link to the actual logs and I could have avoided this post.

 

Questions is there an internal portal where I can cross check and learn the protections like the one higlighted here. " Generic.TC.aesn"

 

Cheers

0 Kudos
G_W_Albrecht
Legend
Legend

The Alert you show in your first post tells us that the connection was blocked ! You should have configured all ABot settings to prevent and not use any detect in IPS.

Usually, clients surf porn sites and these connect to other pages that contact the C&C for malware - so you should better have URLF set to Block inappropriate content.

https://threatwiki.checkpoint.com/threatwiki/public.htm

https://www.checkpoint.com/advisories/

https://research.checkpoint.com/

CCSE CCTE SMB Specialist