confused about anti-bot's log ?

squawell · ‎2023-02-16

Hi Sir:

when i used smartview to view anti-bot's log, there are two actions: prevent and detect.which one i should fix if there are security risk?acorrding the logs, in users browser record cant find any url match the log.so how can i fix the situation to cause security issue?below is part of smartview anti-bot's log:

Time

Blade

Action

Type

Severity

Confidence Level

Suppressed Logs

Source

Source User Name

Machine Name

Destination

Protection Type

Sent Bytes

Received Bytes

Malware Family

Malware Action

Protection Name

Resource

2023/1/31 23:34

Anti-Bot

Prevent

Log

Low

High

2

ip_192.168.2.229 (192.168.2.229)

serfrload05.top (62.0.58.94)

DNS Trap

0

Communication with C&C site

SFMHX.TC.fdf3XXAi

wxanalytics.ru

checkpoint version: R80.40

any help will be appreciate, thanks.

Chris_Atkinson · ‎2023-02-17

Potentially both depending on severity since Anti-bot is a post infection mitigation i.e. we are preventing communication with C2 implying something is already occuring on the machine.

Also note:

1. The user didn't necessarily browse to this address themselves so expecting it in the browser history is not fool proof.

2. In R81 and higher we altered/improved the logging for Anti-bot DNS malware trap events to ensure clarity around events previously shown as "detect".

3. Have you reviewed other forensics from the machine or your endpoint solution?

CCSM R77/R80/ELITE

Are you a member of CheckMates?

confused about anti-bot's log ?