- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Found Bot activity
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found Bot activity
Hi Guys,
I found the attached notification in the quantum spark device(1530) for botnet activity.
Looking at the notification, it seems to be flagging a connection from command and control site but the source 8.8.8.8 which belongs to Google. if thats the case CP shud be aware that it belongs to google and shudn't have flagged in the first place .
Am I missing anything here?
appreciate your thoughts on this.
Cheers
Srini
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you visited a site that tried to connect to a bad malware IP. If on the client suddenly a page jumped by itself to an unknown porn or similar site, after closing the page, you will be shown this message. If you can refer to such an occurrence, there is no malware infection - also, after clicking "I fixed it", the message should not reoccur...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Srini
Just to be clear, the log doesn't say the attack is from 8.8.8.8 (legitimate Google DNS server) but rather that the response to the DNS query regarding a malicious domain was returned from that IP.
Usually in the logs we see also the domain that caused the trigger. What other data exists on the log card?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you visited a site that tried to connect to a bad malware IP. If on the client suddenly a page jumped by itself to an unknown porn or similar site, after closing the page, you will be shown this message. If you can refer to such an occurrence, there is no malware infection - also, after clicking "I fixed it", the message should not reoccur...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
Thank you so much for the response,
Looking into the detailed security logs did reveal what Albrecht had highlighted. Looks like there was some connection towards Porn site without the users knowledge. Infact I did find a lot of anti-bot and anti-virus alerts on his machine. On my way to installing Harmony Enpoint to scan his host in the first place and then probably will tune the confidence level of Anti bot so it blocks instead of just detect.
One thing could have been better is a drill down option to the security log in the notification. notification only shows an overview and youhave to manually filter the security logs. wish there was link to the actual logs and I could have avoided this post.
Questions is there an internal portal where I can cross check and learn the protections like the one higlighted here. " Generic.TC.aesn"
Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Alert you show in your first post tells us that the connection was blocked ! You should have configured all ABot settings to prevent and not use any detect in IPS.
Usually, clients surf porn sites and these connect to other pages that contact the C&C for malware - so you should better have URLF set to Block inappropriate content.
https://threatwiki.checkpoint.com/threatwiki/public.htm
https://www.checkpoint.com/advisories/
https://research.checkpoint.com/