Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gazette
Explorer

Security Logs

Jump to solution

Hello, I have recently had some doubts about some security logs in a 790 firewall, such as the following three examples:

checkpoint_790_2021-09-14_21-58-42.jpgcheckpoint_790_2021-09-14_21-59-05.jpgcheckpoint_790_2021-09-14_22-04-13.jpg

Both the source and the destination are servers on the same network segment, for example 180.80.0.0/24. The three events shown are sourced by the same server (180.80.0.10) but at two destinations (180.80.0.13, 180.80.0.14). This leads me to think that the 180.80.0.10 server has malware, but it has the Harmony Endpoint installed, I have verified and everything seems to be fine.

But the alerts keep coming constantly, what can I do in this case?

While on the other console of the 790, it tells me that it is infected.

_checkpoint_790_2021-09-14_22-23-26.jpg

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

I would assume a false positive as the traffic is local, not to a C&C server...

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Could very well be false positives.
Packet captures and a TAC case are definitely in order.

0 Kudos
G_W_Albrecht
Legend
Legend

I would assume a false positive as the traffic is local, not to a C&C server...

View solution in original post

0 Kudos