This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Larry_Ashiru
Explorer
‎2017-11-02 11:46 AM
Jump to solution

Blocking C&C communication

Hello All,

My logs is showing Qbot on my network and some compromised hosts within the network are attempting to connect to a malicious site and operate as a C&C (command and control) server.

What Antibot/ threat prevention policy can I implement to prevent these connection to mitigate any risk.

Attached is snapshot of description.

Chk.JPG
Preview file
46 KB
0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion
‎2017-11-02 06:00 PM
Jump to solution

Change corresponding Threat Prevention actions from "Detect" to "Protect", by choosing "Recommended" profile, or by replicating it and adjusting it manually.:

Threat Prevention action profiles

Clean-up all the hosts being logged as compromised ASAP.

Your best bet is to take all the infected machines offline and to perform clean re-install from bootable media.

And then start working on lateral threat propagation detection and remediation.

View solution in original post

0 Kudos
3 Replies
Vladimir
Champion
Champion
‎2017-11-02 06:00 PM
Jump to solution

Change corresponding Threat Prevention actions from "Detect" to "Protect", by choosing "Recommended" profile, or by replicating it and adjusting it manually.:

Threat Prevention action profiles

Clean-up all the hosts being logged as compromised ASAP.

Your best bet is to take all the infected machines offline and to perform clean re-install from bootable media.

And then start working on lateral threat propagation detection and remediation.

0 Kudos
Larry_Ashiru
Explorer
‎2017-11-03 06:06 AM
In response to Vladimir
Jump to solution

Thanks Vladimir,

Your first recommendation is already implemented before my posting.

I guess I will have to find the infested systems and perform a clean re-install.

0 Kudos
Norbert_Bohusch
Advisor
‎2017-11-12 11:17 PM
In response to Larry_Ashiru
Jump to solution

Look closer at your log entry and the information, why it is only detected, is directly included!

In the field "Description" is the following information:

DNS response was replaced with a DNS trap bogus IP

Also there is sk74060 mentioned, where everything is explained regarding the DNS trap feature.

Also keep in mind that by default DNS traffic is always handled in background mode (since R75.47 / R76) as a hold might cause DNS timeouts. So there might be also DNS detects because classification is not completed yet.

This behavior is documented in sk92224

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top