This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2025-01-07 02:17 AM

Anti-bot Detect

Hi,

I got this log:

kort.JPG

 

The pcap file in its payload shows something like this:

l v|’|’|V HJvamFuX
0M0NkY2RTk=|’|’|MARK|’|’|user|’|’|2013-11-22|’|’|W
in XP|’|’|No|’|’|0.6.4|’|’|..|’|’|[endof]

Autonomous Threat Prevention is configured with Perimeter protection profile 

I wonder why is that "Detect" not "Blocked"? does that count as a successful hack!?

0 Kudos
8 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-01-07 02:45 AM

Confidence Level of the protection has a 'low' rating best to follow-up with TAC / IRT as appropriate.

CCSM R77/R80/ELITE
Moudar
MVP Silver
MVP Silver
‎2025-01-07 03:06 AM
In response to Chris_Atkinson

any way to block 

Backdoor.MSIL.Jaktinier.D
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-01-07 03:44 AM
In response to Moudar

Yes:

Use the Optimized profile and check the General Policy pane > Activation Mode section, and see if all Confidence levels are set to Prevent. In your case, Confidence level is low, so following the profile settings it will detect only (as it is not sure at all if this really is the bot in question). I suggest to set all Confidence levels to Prevent except low (do nothing then as detect will cost as much resources as Prevent but only log it)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-01-07 05:31 AM
In response to G_W_Albrecht

The protection to block this has a low confidence rating so excepting low is contrary to the need here?

CCSM R77/R80/ELITE
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-01-07 05:39 AM
In response to Chris_Atkinson

Seems this is configured as Detect for low confidence - something i suggest to avoid, either set it to protect or to do nothing.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-01-07 07:08 AM
In response to Moudar

It should give you more options if you click on "remediation options" from the log I believe.

Andy

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-01-07 03:13 AM

Difficult to advise on this in depth without knowing the environment in greater detail

Custom TP profile / policy is likely needed for instance if you were trying to alter the 'low confidence' treatment..

CCSM R77/R80/ELITE
Lesley
MVP Gold
MVP Gold
‎2025-01-07 09:09 AM

Confidence levels are the same across all threat prevention blades:

  • Low: Protections that can produce false positive events in high probability.

A detect is expected behaviour for this perimeter profile:

Lesley_0-1736269742447.png

Please see top left. 

-------
Please press "Accept as Solution" if my post solved it 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events