Solved: Re: Infected hosts - but prevented

Network_M · ‎2018-07-13

In Smartview, in General Overview, there is written "Infected hosts" and shows quantity.

Infected hosts means - infected pcs as far as I understand.

But, when analyzing infected hosts, all of infections were prevented by blades.

If they had been prevented, why it is written "Infected hosts"?

How can we understand it clearly?

PhoneBoy · ‎2018-07-13

Anti-Bot in particular is considered a "post infection" blade.

Which means a host is considered infected (or at least potentially so) if it triggers an Anti-Bot signature.

View solution in original post

PhoneBoy · ‎2018-07-13

Anti-Bot in particular is considered a "post infection" blade.

Which means a host is considered infected (or at least potentially so) if it triggers an Anti-Bot signature.

Network_M · ‎2018-07-13

Then, firstly Bot infects host,

and after that Anti-Bot blade starts to work and prevents that, am I right?

First step infection, second prevention ?

PhoneBoy · ‎2018-07-14

Check Point is not "infecting" a host.

What is being blocked by Anti-Bot is attempts by a host to communicate directly with known bot command and control sites and/or other malicious sites—sites users wouldn't generally visit on their own.

You should be able to click on the number of infected hosts in the SmartEvent dashboard to see exactly why in your specific case the host is tagged as being counted in this way.

Kim_Moberg · ‎2018-07-14

Also recommended to enable dns-trap if you use a local dns forward to an external dns server like google 8.8.8.8

Best Regards
Kim

Network_M · ‎2018-07-14

If I enable DNS-Trap, will it mean that viruses and bots won't enter into my hosts via DNS requests ?

Nüüül · ‎2018-07-14

Hi,

The fact, that checkpoint recognized the host as infected doesn´t mean, the infection came via the firewall. For example some kind of bad USB sticks. Or email attachements or what ever...

Anti Bot recognizes the communication to command and control servers and following to this states the host as infected.

Spreading might () be possible to be prevented i.e. by functioning IPS

DNS Trap does answer DNS request for known malicious domains with fake IPs. More informations:

Anti-Virus Malware DNS Trap feature

Even though your firewall recognizes your host as infected, does NOT mean, that it will heal the host. There is still something bad going on on the client...

Regards,

Daniel

Pedro_Espindola · ‎2018-07-14

DNS-Trap has nothing to do with preventing infection via DNS.

DNS-Trap is responsible for returning fake IPs when the host requests for the IP address of a bot related site. This way the host will try to transmit whatever it wanted to transmit to the fake IP.

If the host is in fact infected the connection to the fake IP will probably be malicious and this will help you identify if this is in fact a bot and not a false positive.

_Val_ · ‎2018-07-15

As Dameon Welch Abernathy already mentioned above, Anti-Bot shows you info about blocked malicious activity from your assets that are already compromised.

For example, if a machine is already infected with a bot-ware, it will try report to C&C and/or to download additional malware modules and tools. Such activity can be detected and blocked by Anti-Bot blade, hence a number of "infected hosts" in your logs.

To learn more about functionalities and abilities of Anti-Bot and other Threat Prevention blades, please refer to the documentation: Threat Prevention Pre-R80 Security Gateways with R80 Security Management

Are you a member of CheckMates?

Infected hosts - but prevented