Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
squawell
Explorer

confused about anti-bot's log ?

Hi Sir:

          when i used smartview to view anti-bot's log, there are two actions: prevent and detect.which one i should fix if there are security risk?acorrding the logs, in users browser record cant find any url match the log.so how can i fix the situation to cause security issue?below is part of smartview anti-bot's log:

 

TimeBladeActionTypeSeverityConfidence LevelSuppressed LogsSourceSource User NameMachine NameDestinationProtection TypeSent BytesReceived BytesMalware FamilyMalware ActionProtection NameResource
2023/1/31 23:34Anti-BotPreventLogLowHigh2ip_192.168.2.229 (192.168.2.229)  serfrload05.top (62.0.58.94)DNS Trap00 Communication with C&C siteSFMHX.TC.fdf3XXAiwxanalytics.ru

 

checkpoint version: R80.40

any help will be appreciate, thanks.

0 Kudos
1 Reply
Chris_Atkinson
Employee Employee
Employee

Potentially both depending on severity since Anti-bot is a post infection mitigation i.e. we are preventing communication with C2 implying something is already occuring on the machine.

Also note:

1. The user didn't necessarily browse to this address themselves so expecting it in the browser history is not fool proof.

2. In R81 and higher we altered/improved the logging for Anti-bot DNS malware trap events to ensure clarity around events previously shown as "detect".

3. Have you reviewed other forensics from the machine or your endpoint solution?

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events