This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sajenthiran_Mic
Contributor
‎2022-03-30 03:51 AM

Gateway and Management logs

We use multiple checkpoint gateways ... we have times where we try to decode the logging entries.

We had recent log entries, which stated that a server has used network communication on port 1027(ICKiller).

A Windows Trojan!! https://threatwiki.checkpoint.com/threatwiki/public.htm

Now the research on the Server using an Antivirus - tool could not find any suspected infection.

According to checkpoint are the security gateways detects suspicious communication based on signature inside the packet. Is that the case even when Antivirus Blade is not active? Is the default Intrusion Detection System able accurately to identify threats

 

0 Kudos
5 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-03-30 04:53 AM

I had seen this before, so my educated guess is that those threats are detected properly even when AV is not on, but I will let someone from CP give you an official statement / answer.

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2022-03-30 09:44 AM

Were these log references for port 1027 in the "source port" field?  If so you have have nothing to worry about, the ICKiller trojan used a fixed port of 1027 in the distant past.  What happened is TCP on the initiating system chose source port 1027 from the ephemeral range of 1024-65535 for a new TCP connection, and it happened to match the included service object ICKiller.  What you are seeing in the log is a simple mapping from a port number to a name, not an indicator of compromise.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Sajenthiran_Mic
Contributor
‎2022-03-31 06:37 AM
In response to Timothy_Hall

How do we destingushe between a simple source port mapping instant and a real issue? based on the Firewall logs?

 

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-03-31 07:06 AM
In response to Sajenthiran_Mic

What about the log entry led you to believe there was a problem?

Just the name in the Service field? If so, find the service object and disable "Match for Any", or delete the object. You could also disable name resolution before using the logs.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-31 07:10 AM
In response to Sajenthiran_Mic

Not much you can ascertain based on that simple firewall log.
Threat Prevention logs may be more actionable.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events