- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: Discussion SMB scan problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Discussion SMB scan problem
Dear all
I want to discussion a smb scan problem with you.
I found a lot of scanning attacks by checkpoint fw,but all scanning just be identified firewall session,and not be identified by TP module,this is why?
I found that all vender firewall can not identify this kind of smb scan.
thanks!
6 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not ask this in SMB Appliances and SMP ? Please check your screenshot, as i do not understand what you mean! I just can see internal user 10.110.33.178 connecting by TCP/445 to various internet IPs. The Rulebase Accepts the connections with Outgoing Rule 9. Nothing wrong here...
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I confirm that 10.110.33.178 is effected by virus and this ip scanning 445 port.So I want to know why ngfw can not identify this kind of behavior as a threat
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the first question would need to be: Why is 445 open towards the internet? NGFW is only adding Application Control and IPS. There is no correlation in either blades, blades like Anti-Virus and Anti-Bot would be more suited to block this kind of attack.
Regards, Maarten
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without knowing the nature of the scanning, I can't say whether or not we would detect this.
If you haven't already cleaned the system, take some packet captures from the infected system and open a TAC case.
In general, I'm with everyone else on this thread: there's no reason SMB should be open outbound to the Internet.
If you haven't already cleaned the system, take some packet captures from the infected system and open a TAC case.
In general, I'm with everyone else on this thread: there's no reason SMB should be open outbound to the Internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you think this is a virus communication which is not recognized, open a Check Point TAC ticket.
➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips