This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2025-01-07 02:17 AM

Anti-bot Detect

Hi,

I got this log:

kort.JPG

 

The pcap file in its payload shows something like this:

l v|’|’|V HJvamFuX
0M0NkY2RTk=|’|’|MARK|’|’|user|’|’|2013-11-22|’|’|W
in XP|’|’|No|’|’|0.6.4|’|’|..|’|’|[endof]

Autonomous Threat Prevention is configured with Perimeter protection profile 

I wonder why is that "Detect" not "Blocked"? does that count as a successful hack!?

0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee
‎2025-01-07 02:45 AM

Confidence Level of the protection has a 'low' rating best to follow-up with TAC / IRT as appropriate.

CCSM R77/R80/ELITE
Moudar
Advisor
‎2025-01-07 03:06 AM
In response to Chris_Atkinson

any way to block 

Backdoor.MSIL.Jaktinier.D
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-01-07 03:44 AM
In response to Moudar

Yes:

Use the Optimized profile and check the General Policy pane > Activation Mode section, and see if all Confidence levels are set to Prevent. In your case, Confidence level is low, so following the profile settings it will detect only (as it is not sure at all if this really is the bot in question). I suggest to set all Confidence levels to Prevent except low (do nothing then as detect will cost as much resources as Prevent but only log it)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-01-07 05:31 AM
In response to G_W_Albrecht

The protection to block this has a low confidence rating so excepting low is contrary to the need here?

CCSM R77/R80/ELITE
G_W_Albrecht
Legend Legend
Legend
‎2025-01-07 05:39 AM
In response to Chris_Atkinson

Seems this is configured as Detect for low confidence - something i suggest to avoid, either set it to protect or to do nothing.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2025-01-07 07:08 AM
In response to Moudar

It should give you more options if you click on "remediation options" from the log I believe.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-01-07 03:13 AM

Difficult to advise on this in depth without knowing the environment in greater detail

Custom TP profile / policy is likely needed for instance if you were trying to alter the 'low confidence' treatment..

CCSM R77/R80/ELITE
Lesley
Mentor Mentor
Mentor
‎2025-01-07 09:09 AM

Confidence levels are the same across all threat prevention blades:

  • Low: Protections that can produce false positive events in high probability.

A detect is expected behaviour for this perimeter profile:

Lesley_0-1736269742447.png

Please see top left. 

-------
If you like this post please give a thumbs up(kudo)! 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events