This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-07-03 08:00 AM

Traffic blocked by AV and Anti-Bot blades

Hello, everybody.

I have a ClusterXL with R81.10 version.

Currently, we have 1 IP from a server in our LAN, which seems to be having "malware problems, or some virus", because in the AV and Anti-Bot blades from the SmartConsole, the following is observed.

AB.png

AV.png

We want to be "sure" that ClusterXL is "blocking" this traffic from this server.

The "PREVENT" action can "give us that peace of mind" that the traffic is being blocked, or do we need to check something else in the Firewall?

These are some reference images.

AV3.pngAV2.jpg

I hope you can help me with any comments.

Thank you.

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-07-03 08:52 AM

The listed connections have been prevented (blocked) as outlined in sk74060.

You should investigate the actual endpoint itself further in addition to other traffic logs for this host.

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor
‎2023-07-03 09:09 AM
In response to Chris_Atkinson

i'm left with a bigger question based on your comment and the SK.

According to the logs I have shared, in my scenario, the traffic is being "blocked", or "allowed"????

Because I have assumed, by seeing "PREVENT", that the traffic from that IP in my DMZ, is being blocked, when it tries to reach that destination.

0 Kudos
_Val_
Admin
Admin
‎2023-07-03 09:21 AM
In response to Matlu

Logs are showing that attempts to resolve C&C IPs are blocked. 

0 Kudos
Matlu
Advisor
‎2023-07-03 09:34 AM
In response to _Val_

The profile I am using for this type of scenario is as follows:

AV4.png

Can we have the "peace of mind" that we have well configured the profile to prevent the server from attempting this type of connection?

Thank you for your comments.

0 Kudos
_Val_
Admin
Admin
‎2023-07-03 10:28 AM
In response to Matlu

You need to define "Peace of mind" first. In this profile, DNS requests to known and suspected C&Cs will be trapped and blocked. This does not give you 100% protection from malware. You still need to clean up the infected hosts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events