- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: Anti-bot Detect
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anti-bot Detect
Hi,
I got this log:
The pcap file in its payload shows something like this:
l v|’|’|V HJvamFuX
0M0NkY2RTk=|’|’|MARK|’|’|user|’|’|2013-11-22|’|’|W
in XP|’|’|No|’|’|0.6.4|’|’|..|’|’|[endof]
Autonomous Threat Prevention is configured with Perimeter protection profile
I wonder why is that "Detect" not "Blocked"? does that count as a successful hack!?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confidence Level of the protection has a 'low' rating best to follow-up with TAC / IRT as appropriate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any way to block
Backdoor.MSIL.Jaktinier.D
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes:
Use the Optimized profile and check the General Policy pane > Activation Mode section, and see if all Confidence levels are set to Prevent. In your case, Confidence level is low, so following the profile settings it will detect only (as it is not sure at all if this really is the bot in question). I suggest to set all Confidence levels to Prevent except low (do nothing then as detect will cost as much resources as Prevent but only log it)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The protection to block this has a low confidence rating so excepting low is contrary to the need here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems this is configured as Detect for low confidence - something i suggest to avoid, either set it to protect or to do nothing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should give you more options if you click on "remediation options" from the log I believe.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Difficult to advise on this in depth without knowing the environment in greater detail
Custom TP profile / policy is likely needed for instance if you were trying to alter the 'low confidence' treatment..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confidence levels are the same across all threat prevention blades:
- Low: Protections that can produce false positive events in high probability.
A detect is expected behaviour for this perimeter profile:
Please see top left.
If you like this post please give a thumbs up(kudo)! 🙂
