- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
My CheckPoint Firewall 730 Appliance keeps warning me about a so called infected device, always with the message "Infected device detected: .... is infected with a malware of high severity. Findings: found bot activity". This happens multiple times per day and I can't identify the problem. I have scanned the device multiple times and found nothing.
This actually happens on several devices.
Is this a false positive?
If not, how can I identify the source of the problem?
Unfortunately it is common for an internal DNS server to get tagged by Anti-bot like this, since an internal workstation with a problem sends a suspicious request to your internal DNS server for DNS service (and this traffic does not normally pass through the firewall), then the DNS server looks up the suspicious site on behalf of the internal workstation and Anti-bot sees that traffic and flags it. One way to deal with this is to enable logging of all DNS requests on the DNS server itself, to help find which internal host is initiating the suspicious lookups.
Forgot to mention that you can enable the "DNS trap" feature to help identify infected hosts that are having their DNS lookups handled by an internal DNS server.
Thank you for the suggestions.
I enabled logging on the DNS server, and identified devices that initiate said problem. However as far as I can tell, they are not actually infected, I've scanned them multiple times.
So it might just be regular internet browsing, and the "infected" warning is just about various ads, and spam sites that launch when you visit certain sites? In other words it's just a false positive, or a warning that appears, even though the threat itself is already blocked?
About "DNS trap" feature, I'm not actually sure how to enable it from the web interface. I actually think it's already enabled, because I think I saw it listed on "protection name" on certain events, although I'm not entirely sure.
Where exactly is this setting?
Hmm looks like DNS Trap may not be supported on embedded Gaia when it is locally managed, but I can't find any documentation confirming that one way or the other. @PhoneBoy?
It is supported and enabled by default, but it is only triggered for Medium or High confidence level, according to default profiles.
I had the same problem at a client. DHCP logs on the Windows DCs helped a bit, but did not point to the culprit.
The (Home, System) notifications section showed the events, and the Watchtower notified me, so I connected to the device and in (Logs and Monitoring) Security Logs, I entered Service:DNS. I scrolled to the approximate time and found a username associated with the event.
Once the user's Dell BIOS and Intel Management firmware were updated, the errors stopped.
In this client's case the logs seem to only go back about 8-10 hours, so I did not have the ability to go back further to aid in the search.
Not sure why it would be linked to BIOS firmware or Intel Management Engine, but anyway since I have a 50+ workstations, this problem is starting to piss me off...
Using DNS logging I have identified the so called culprits (which keep changing, a few devices today, other ones tomorrow, some of them keep repeating etc.) and thoroughly scanned the clients on multiple occasions with no results.
It even detects IPs that belong to mobile phones and even network printers.
Like I previously said, the firewall either flags normal internet browsing, when detecting certain ads and such (some of them probably legitimately malicious, even though blocked), or it detects the activity of remote desktop software such as TeamViewer and AnyDesk, which are frequent on my network and are initiated by me. I also use RDP to connect to the Server itself.
Could be the latter since the description of the "malware" is specifically about C&C, I really don't know what to make of it...
I spoke too quickly yesterday, another instance occurred, but I cannot determine the source device.
I have not been able to reproduce this issue on demand, have you been able to reproduce on demand?
Any updates on this problem? I am still bombarded with "found bot activity" events even more so than before...
Best bet is to get the TAC involved so we can understand what's going on in more detail.
I found a PC on the network that had no AV installed other than Windows Defender. The client uses Symantec, I installed the Symantec Endpoint Protection client, no issues for last 5 days.
In my case I have Kaspersky Endpoint Security on all the stations, but it doesn't seem to make a difference, those pesky events are just as frequent as ever.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
8 | |
3 | |
3 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY