Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Samphas1
Participant

Log just detected not prevented

Dear team,

I really concerning with the threat prevention policy and log just detected and not prevented as below info.

 Protection Detail:

     - Severity :                      Medium

     - Confidence Level:      High

     -  Malware Action:        DNS query for a C&C site

     - Protection Name:      FlawedGrace.TC.63bbSXCU

     - Protection Type:         DNS Reputation

 

Noted:  what I was concern the policy action is Detect and Connection was allowed because background classification mode was set.See sk 74120 for more information.

Could you please explain me is action just only Detect and Connection was allowed. Is it impact or not? what is the action recommendation ?

19-May-23.PNG

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend

Seems you set TP to Background. The sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode gives you all details and helps you to set it to fail-close and hold...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant

The Detect and Connection was allowed. Is it impact or not? what is the action recommendation. 

It will be high risk or not?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You only need to read the message: Severity Medium - TP was bypassed as it is set to background mode. First action would be scanning the source PC for malware. sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode gives you all details and helps you to set it to fail-close and hold...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant

The action just detected and the connection was allowed. Mean that it is not prevent by CheckPoint ?

It will impact or high risky??

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As you configured background, that can happen, therefore i suggested to set it to hold ! It is classified as Medium Severity - DNS Query for C & C site, this could be caused by malware (but you would have many of these in logs), a visit of a dangerous website (that needs not to have caused any infection) or false positive (always possible). Immediately disconnect the users PC from the network and do local malware scans !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Samphas1
Participant

Could you please explain the anti-bot blade logs as below:

The action are detected and prevented with the same source and destination.

25-May-23.PNG

 

0 Kudos
Timothy_Hall
Legend Legend
Legend

Gunter gave you a great explanation, here is the content from my updated R81.20 IPS/AV/ABOT course discussing your exact situation in more detail:

 back1.pngback2.pngback3.pngback4.png

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events