Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Larry_Ashiru
Explorer
Jump to solution

Blocking C&C communication

Hello All,

My logs is showing Qbot on my network and some compromised hosts within the network are attempting to connect to a malicious site and operate as a C&C (command and control) server.

What Antibot/ threat prevention policy can I implement to prevent these connection to mitigate any risk.

Attached is snapshot of description.

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion

Change corresponding Threat Prevention actions from "Detect" to "Protect", by choosing "Recommended" profile, or by replicating it and adjusting it manually.:

Threat Prevention action profiles

Clean-up all the hosts being logged as compromised ASAP.

Your best bet is to take all the infected machines offline and to perform clean re-install from bootable media.

And then start working on lateral threat propagation detection and remediation.

View solution in original post

0 Kudos
3 Replies
Vladimir
Champion
Champion

Change corresponding Threat Prevention actions from "Detect" to "Protect", by choosing "Recommended" profile, or by replicating it and adjusting it manually.:

Threat Prevention action profiles

Clean-up all the hosts being logged as compromised ASAP.

Your best bet is to take all the infected machines offline and to perform clean re-install from bootable media.

And then start working on lateral threat propagation detection and remediation.

0 Kudos
Larry_Ashiru
Explorer

Thanks Vladimir,

Your first recommendation is already implemented before my posting.

I guess I will have to find the infested systems and perform a clean re-install.

0 Kudos
Norbert_Bohusch
Advisor

Look closer at your log entry and the information, why it is only detected, is directly included!

In the field "Description" is the following information:

DNS response was replaced with a DNS trap bogus IP

Also there is sk74060 mentioned, where everything is explained regarding the DNS trap feature.

Also keep in mind that by default DNS traffic is always handled in background mode (since R75.47 / R76) as a hold might cause DNS timeouts. So there might be also DNS detects because classification is not completed yet.

This behavior is documented in sk92224

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events