Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeff_Gao
Advisor

Discussion SMB scan problem

Dear all

I want to discussion a smb scan problem with you.

I found a lot of scanning attacks by checkpoint fw,but all  scanning just be  identified firewall session,and not be identified by TP module,this is why?

smb scan.png

I found that all vender firewall can not identify this kind of smb scan.

thanks!

6 Replies
G_W_Albrecht
Legend Legend
Legend

Why not ask this in SMB Appliances and SMP ? Please check your screenshot, as i do not understand what you mean! I just can see internal user 10.110.33.178 connecting by TCP/445 to various internet IPs. The Rulebase Accepts the connections with Outgoing Rule 9. Nothing wrong here...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Jeff_Gao
Advisor

I confirm that 10.110.33.178 is effected by virus and this ip scanning 445 port.So I want to know why ngfw can not identify this kind of behavior as a threat
Maarten_Sjouw
Champion
Champion

I think the first question would need to be: Why is 445 open towards the internet? NGFW is only adding Application Control and IPS. There is no correlation in either blades, blades like Anti-Virus and Anti-Bot would be more suited to block this kind of attack.
Regards, Maarten
PhoneBoy
Admin
Admin

Without knowing the nature of the scanning, I can't say whether or not we would detect this.
If you haven't already cleaned the system, take some packet captures from the infected system and open a TAC case.

In general, I'm with everyone else on this thread: there's no reason SMB should be open outbound to the Internet.
HeikoAnkenbrand
Champion Champion
Champion

If you think this is a virus communication which is not recognized, open a Check Point TAC ticket.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events