This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2017-10-25 04:17 PM

SMB appliance shows Infected hosts with public IPs

This is happening for a while now on my home 600 appliance:

external IPs shown as "Infected Hosts"

View Host Logs does not yield anything and since these events happening about once a month, running traffic capture to get better visibility into it is not practical.

What is the reason for this indicator being present if there is no possibility of path-through traffic hitting my gateway from inside?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2017-10-27 01:10 PM

It could very well be a false positive of some sort, or that IP address probing.

I did move this to the SMB and SMP‌ space.

0 Kudos
Vladimir
Champion
Champion
‎2017-10-27 01:26 PM
In response to PhoneBoy

If this was a probing attempt, I'd expect to see some drops in the log, but there is nothing at all.

I was thinking that maybe cell phones on WiFi may ID with the IP received from the carrier, but the protection name points to Windows hosts.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-27 01:33 PM
In response to Vladimir

The fact you're not seeing that is somewhat troubling.

0 Kudos
Vladimir
Champion
Champion
‎2017-10-27 01:47 PM
In response to PhoneBoy

I've re-flushed the new firmware yesterday and will keep an eye for further occurrences. Should I see it again, I may have to run continuous filtered mirroring from the switches on all interfaces to get the raw packets matching that source network.

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2017-10-30 08:59 PM

Hi.

The infected host is triggered with the Anti-Bot, which can be detected from LAN(inbound) to WAN (outgoing), and also vice versa.

If the public IP trying to communicate to your gateway external IP might have a malicious network activity pattern, or bad reputation (such as C&C), it will come up in the infected hosts list.

0 Kudos
Vladimir
Champion
Champion
‎2017-10-31 06:11 AM
In response to Tom_Hinoue

There is no reason logging the external hosts as "Infected". Consider the scenario when your network is under attack from the botnet. In this case you may have thousands hosts listed as such. It is not the business of this device to police the Internet, but to provide you with correct information about your environment.

But regardless of how these two hosts ended-up listed as such, I would expect to see the corresponding log entries and there are none.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top