Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cjfsoares
Participant

Anti-Bot

Hello,

I'm on R81.10 in a 15600 appliance.

I keep receiving Threat Prevention reports with a lot of logs regarding communication with C&C sites. Lately like the one attached. 

During the first days of COVID-19 pandemic most users went home, almost unprotected. Should I be concerned (how much)? 

I'm doing cleanings on all PCs (with several tools), is it enough?

 

Thank you for your help.
Cláudio Soares

0 Kudos
3 Replies
Lesley
Leader Leader
Leader

Do the logs clear up after you cleaned up the PCs? If it comes back either cleaning was not successful or the users have to get educated. 

Second, anti-bot is only part of the security features that can be used. Is there anything more active on this setup? You run anything on the PC's itself from Check Point? What is enabled on gateways for blades and are you doing HTTPS inspection?

-------
If you like this post please give a thumbs up(kudo)! 🙂
cjfsoares
Participant

Hello Lesley,

Thank you for your answer.
99% of the times logs do clear up after cleaning takes place. Nevertheless users need proper education everyday.

Anti-Bot, IPS, and Anti-virus are enabled on the appliance. And Harmony Endpoint is running on the devices (however we only got Harmony Endpoint after the pandemic started, therefor most users went home unprotected). HTTPS Inspection is not fully activated because we have some issues with users privacy to solve, yet.

0 Kudos
Lesley
Leader Leader
Leader

If logs clear up that is a good indication that systems is clear again. 

Endpoint has many modules and features you can use to increase security.

Some examples:

*access control
- Firewall
- application control
- endpoint compliance

*sandboxing
- threat emulation
- threat extraction

*browser security
- DLP
- URL filtering

*threat prevention
- anti-malware
- anti-exploit

So this also depends what you have enabled. You can either enable more security on the client, or on the central firewall, or both. 

Finally regarding HTTPS inspection, some categories that can impact privacy can be bypassed. Example of how to bypass a category:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Most common is to bypass: Financial Services. But can be more. In my opinion it is highly recommended to enable HTTPS inspection to make optimal use of the firewall. Almost all traffic is these days encrypted and firewall cannot inspect it. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events