This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Samphas1
Participant
‎2023-05-18 08:07 PM

Log just detected not prevented

Dear team,

I really concerning with the threat prevention policy and log just detected and not prevented as below info.

 Protection Detail:

     - Severity :                      Medium

     - Confidence Level:      High

     -  Malware Action:        DNS query for a C&C site

     - Protection Name:      FlawedGrace.TC.63bbSXCU

     - Protection Type:         DNS Reputation

 

Noted:  what I was concern the policy action is Detect and Connection was allowed because background classification mode was set.See sk 74120 for more information.

Could you please explain me is action just only Detect and Connection was allowed. Is it impact or not? what is the action recommendation ?

19-May-23.PNG

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-05-19 12:02 AM

Seems you set TP to Background. The sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode gives you all details and helps you to set it to fail-close and hold...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant
‎2023-05-19 12:47 AM
In response to G_W_Albrecht

The Detect and Connection was allowed. Is it impact or not? what is the action recommendation. 

It will be high risk or not?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-05-19 12:53 AM
In response to Samphas1

You only need to read the message: Severity Medium - TP was bypassed as it is set to background mode. First action would be scanning the source PC for malware. sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode gives you all details and helps you to set it to fail-close and hold...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant
‎2023-05-21 08:03 PM
In response to G_W_Albrecht

The action just detected and the connection was allowed. Mean that it is not prevent by CheckPoint ?

It will impact or high risky??

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-05-22 01:07 AM
In response to Samphas1

As you configured background, that can happen, therefore i suggested to set it to hold ! It is classified as Medium Severity - DNS Query for C & C site, this could be caused by malware (but you would have many of these in logs), a visit of a dangerous website (that needs not to have caused any infection) or false positive (always possible). Immediately disconnect the users PC from the network and do local malware scans !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant
‎2023-05-24 06:24 PM
In response to G_W_Albrecht

Could you please explain the anti-bot blade logs as below:

The action are detected and prevented with the same source and destination.

25-May-23.PNG

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-05-22 04:53 AM
In response to Samphas1

Gunter gave you a great explanation, here is the content from my updated R81.20 IPS/AV/ABOT course discussing your exact situation in more detail:

 back1.pngback2.pngback3.pngback4.png

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events