This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
r1der
Advisor
‎2021-10-29 03:34 PM

DNS Server Rule - Action Change to Prevent from

Hi Everyone,

Question about this rule/malware trap dns setup.
This rule exists for our DNS Servers under Threat Prevention > Policy.
I forgot if I made this rule or not. I think I made this rule because the DNS servers were being listed as "Infected Hosts" for DNS requests to C&C sites. 
So in an attempt to find out the actual clients, I ended up looking at the Malware Trap DNS setup. These DNS servers are the same defined in Malware Trap DNS setting.

tp1.png
If I am not mistaken, the next step is to change Action = PREVENT.  However, I noticed that after doing that some of the sites it started PREVENTING were actually legitimate and I switched it back to Detect. Note: last 2 at the very bottom of screenshot below are indicators I have uploaded via CSV. 
TP-2.png

By changing the rule action from Detect to Prevent, it would seem like I'd have to create exceptions for each false positive.
Is that correct? There seems to be a lot of false positives if I switch to Active, but there also seems to be a lot getting allowed through because my setting is set to Detect. 

I tried disabling the rule just to see the actions, and it seems without this rule it would not allow us to reach sites that CheckPoint thinks is containing malware or is a C&C site. 

Any suggestions appreciated, still a newbie here!

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2021-10-31 08:19 AM

What are the activation mode settings of your current Threat Prevention profile, namely for low confidence protections?

61146_main.png

Note in R81 and above we altered the logging behavior for DNS trap related events.

CCSM R77/R80/ELITE
(1)
r1der
Advisor
‎2021-11-03 04:29 PM
In response to Chris_Atkinson

Hi Chris, Thanks, Low Confidence = Inactive. We are on R80.40. Screenshot below.
Shouldn't that have meant the sites from the log above (2nd image in original post) with low confidence be allowed?
 
tempsnip.png

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events