Useless logs in SMB appliances

Vladimir · ‎2019-03-25

Can someone explain what actionable information is available in this log entry:

Except an acknowledgement that the gateway recognized malicious binary but was not able to prevent its download?

There is no way I can see that allow us to identify the binary from the information displayed.

PhoneBoy · ‎2019-03-25

It doesn't list a URL, site, or anything? What do other logs around that time for that host say?

Vladimir · ‎2019-03-26

@PhoneBoy , If you look closely at the log shown, you'll see that it only shows date, not time of the incident. We have only option to "View Host Logs" from the "Infected Hosts" section.

This opens up logs filtered by the host's IP with the current date and time.

The SMB appliances log query does not permit multiple filters, but only one:

So we have to either scroll back to the date and look at ALL THE LOGS for that host or filter by the host and look for ALL THE LOGS for that date.

What do you think the likelihood of finding what we are looking for?

PhoneBoy · ‎2019-03-26

Can you find the relevant log entries via the Protection Name (which should be unique enough)?

Vladimir · ‎2019-03-26

Found it using the method you suggested.

Few notes though:

1. Would be nice if the "Open Host Logs" from TP would go to the event, not to current logs.

2. Actual event log indicated that the download was prevented, while TP notice indicates "Possible Infected Host."

3. There is no export or copy option for the events for reporting to the offending party.

Are you a member of CheckMates?

Useless logs in SMB appliances