This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antimatt3r
Participant
‎2020-05-12 01:18 AM

Found bot activity

My CheckPoint Firewall 730 Appliance keeps warning me about a so called infected device, always with the message "Infected device detected: .... is infected with a malware of high severity. Findings: found bot activity". This happens multiple times per day and I can't identify the problem. I have scanned the device multiple times and found nothing.

This actually happens on several devices.

Is this a false positive?

If not, how can I identify the source of the problem?

Untitled.jpg

0 Kudos
15 Replies
PhoneBoy
Admin
Admin
‎2020-05-12 09:20 PM

You'll notice it's confidence of Low.
My guess is you may have visited a site that may have included something from that site.
Antimatt3r
Participant
‎2020-05-13 12:43 AM
In response to PhoneBoy

I could see that being the case for some of the workstations, but the computer with the most frequent events is a domain server, and there is no internet surfing on it.
From my understanding (I could be wrong), this particular "malware" is related to Command & Control activities, and I frequently use Remote Desktop Connection for the server, and TeamViewer and/or AnyDesk on the workstations on the Active Directory computers.
Could this be a false positive related to that?
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-13 05:02 AM
In response to Antimatt3r

Unfortunately it is common for an internal DNS server to get tagged by Anti-bot like this, since an internal workstation with a problem sends a suspicious request to your internal DNS server for DNS service (and this traffic does not normally pass through the firewall), then the DNS server looks up the suspicious site on behalf of the internal workstation and Anti-bot sees that traffic and flags it.  One way to deal with this is to enable logging of all DNS requests on the DNS server itself, to help find which internal host is initiating the suspicious lookups.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
LuisSP
Collaborator
‎2020-05-16 10:21 PM
In response to Timothy_Hall

As always, you have value experience that you share it, just let me add a comment: as said Antimatt3r, most frequent events has been on DNS server, but it is not unique host, there are other workstations that trigger alerts on FW, maybe such host has other DNS, maybe it's other protection or other blade that logged those alerts, I don't know. So it's worth analyze such workstations
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-17 07:24 AM

Forgot to mention that you can enable the "DNS trap" feature to help identify infected hosts that are having their DNS lookups handled by an internal DNS server.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Antimatt3r
Participant
‎2020-05-18 01:30 AM
In response to Timothy_Hall

Thank you for the suggestions.

I enabled logging on the DNS server, and identified devices that initiate said problem. However as far as I can tell, they are not actually infected, I've scanned them multiple times.

So it might just be regular internet browsing, and the "infected" warning is just about various ads, and spam sites that launch when you visit certain sites? In other words it's just a false positive, or a warning that appears, even though the threat itself is already blocked?

About "DNS trap" feature, I'm not actually sure how to enable it from the web interface. I actually think it's already enabled, because I think I saw it listed on "protection name" on certain events, although I'm not entirely sure. 

Where exactly is this setting?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-05-18 08:29 AM
In response to Antimatt3r

Hmm looks like DNS Trap may not be supported on embedded Gaia when it is locally managed, but I can't find any documentation confirming that one way or the other.  @PhoneBoy?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Pedro_Espindola
Advisor
‎2020-05-18 09:09 AM
In response to Timothy_Hall

It is supported and enabled by default, but it is only triggered for Medium or High confidence level, according to default profiles.

0 Kudos
Dick_Summers
Contributor
‎2020-06-03 04:13 PM

I had the same problem at a client.  DHCP logs on the Windows DCs helped a bit, but did not point to the culprit.

The (Home, System) notifications section showed the events, and the Watchtower notified me, so I connected to the device and in (Logs and Monitoring) Security Logs, I entered Service:DNS.  I scrolled to the approximate time and found a username associated with the event.

Once the user's Dell BIOS and Intel Management  firmware were updated, the errors stopped.

 In this client's case the logs seem to only go back about 8-10 hours, so I did not have the ability to go back further to aid in the search.

0 Kudos
Antimatt3r
Participant
‎2020-06-03 11:58 PM
In response to Dick_Summers

Not sure why it would be linked to BIOS firmware or Intel Management Engine, but anyway since I have a 50+ workstations, this problem is starting to piss me off...

Using DNS logging I have identified the so called culprits (which keep changing, a few devices today, other ones tomorrow, some of them keep repeating etc.) and thoroughly scanned the clients on multiple occasions with no results.

It even detects IPs that belong to mobile phones and even network printers.

Like I previously said, the firewall either flags normal internet browsing, when detecting certain ads and such (some of them probably legitimately malicious, even though blocked), or it detects the activity of remote desktop software such as TeamViewer and AnyDesk, which are frequent on my network and are initiated by me. I also use RDP to connect to the Server itself.

Could be the latter since the description of the "malware" is specifically about C&C, I really don't know what to make of it...

0 Kudos
Dick_Summers
Contributor
‎2020-06-04 12:08 PM
In response to Antimatt3r

I spoke too quickly yesterday, another instance occurred, but I cannot determine the source device.

I have not been able to reproduce this issue on demand, have you been able to reproduce on demand?

0 Kudos
Antimatt3r
Participant
‎2020-08-28 04:40 AM

Any updates on this problem? I am still bombarded with "found bot activity" events even more so than before...

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-28 03:49 PM
In response to Antimatt3r

Best bet is to get the TAC involved so we can understand what's going on in more detail.

0 Kudos
Dick_Summers
Contributor
‎2020-08-30 08:58 AM
In response to Antimatt3r

I found a PC on the network that had no AV installed other than Windows Defender.  The client uses Symantec, I installed the Symantec Endpoint Protection client, no issues for last 5 days.

0 Kudos
Antimatt3r
Participant
‎2020-08-30 11:09 PM
In response to Dick_Summers

In my case I have Kaspersky Endpoint Security on all the stations, but it doesn't seem to make a difference, those pesky events are just as frequent as ever.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events