Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
r1der
Collaborator

DNS Server Rule - Action Change to Prevent from

Hi Everyone,

Question about this rule/malware trap dns setup.
This rule exists for our DNS Servers under Threat Prevention > Policy.
I forgot if I made this rule or not. I think I made this rule because the DNS servers were being listed as "Infected Hosts" for DNS requests to C&C sites. 
So in an attempt to find out the actual clients, I ended up looking at the Malware Trap DNS setup. These DNS servers are the same defined in Malware Trap DNS setting.

tp1.png
If I am not mistaken, the next step is to change Action = PREVENT.  However, I noticed that after doing that some of the sites it started PREVENTING were actually legitimate and I switched it back to Detect. Note: last 2 at the very bottom of screenshot below are indicators I have uploaded via CSV. 
TP-2.png

By changing the rule action from Detect to Prevent, it would seem like I'd have to create exceptions for each false positive.
Is that correct? There seems to be a lot of false positives if I switch to Active, but there also seems to be a lot getting allowed through because my setting is set to Detect. 

I tried disabling the rule just to see the actions, and it seems without this rule it would not allow us to reach sites that CheckPoint thinks is containing malware or is a C&C site. 

Any suggestions appreciated, still a newbie here!

0 Kudos
2 Replies
Chris_Atkinson
Employee
Employee

What are the activation mode settings of your current Threat Prevention profile, namely for low confidence protections?

61146_main.png

Note in R81 and above we altered the logging behavior for DNS trap related events.

(1)
r1der
Collaborator

Hi Chris, Thanks, Low Confidence = Inactive. We are on R80.40. Screenshot below.
Shouldn't that have meant the sites from the log above (2nd image in original post) with low confidence be allowed?
 
tempsnip.png

 

0 Kudos