This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cjfsoares
Participant
‎2024-06-19 09:05 AM

Anti-Bot

Hello,

I'm on R81.10 in a 15600 appliance.

I keep receiving Threat Prevention reports with a lot of logs regarding communication with C&C sites. Lately like the one attached. 

During the first days of COVID-19 pandemic most users went home, almost unprotected. Should I be concerned (how much)? 

I'm doing cleanings on all PCs (with several tools), is it enough?

 

Thank you for your help.
Cláudio Soares

Preview file
6 KB
0 Kudos
3 Replies
Lesley
Leader Leader
Leader
‎2024-06-19 02:20 PM

Do the logs clear up after you cleaned up the PCs? If it comes back either cleaning was not successful or the users have to get educated. 

Second, anti-bot is only part of the security features that can be used. Is there anything more active on this setup? You run anything on the PC's itself from Check Point? What is enabled on gateways for blades and are you doing HTTPS inspection?

-------
If you like this post please give a thumbs up(kudo)! 🙂
cjfsoares
Participant
‎2024-06-20 12:20 AM
In response to Lesley

Hello Lesley,

Thank you for your answer.
99% of the times logs do clear up after cleaning takes place. Nevertheless users need proper education everyday.

Anti-Bot, IPS, and Anti-virus are enabled on the appliance. And Harmony Endpoint is running on the devices (however we only got Harmony Endpoint after the pandemic started, therefor most users went home unprotected). HTTPS Inspection is not fully activated because we have some issues with users privacy to solve, yet.

0 Kudos
Lesley
Leader Leader
Leader
‎2024-06-20 01:38 AM
In response to cjfsoares

If logs clear up that is a good indication that systems is clear again. 

Endpoint has many modules and features you can use to increase security.

Some examples:

*access control
- Firewall
- application control
- endpoint compliance

*sandboxing
- threat emulation
- threat extraction

*browser security
- DLP
- URL filtering

*threat prevention
- anti-malware
- anti-exploit

So this also depends what you have enabled. You can either enable more security on the client, or on the central firewall, or both. 

Finally regarding HTTPS inspection, some categories that can impact privacy can be bypassed. Example of how to bypass a category:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Most common is to bypass: Financial Services. But can be more. In my opinion it is highly recommended to enable HTTPS inspection to make optimal use of the firewall. Almost all traffic is these days encrypted and firewall cannot inspect it. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events