Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Traffic blocked by AV and Anti-Bot blades

Hello, everybody.

I have a ClusterXL with R81.10 version.

Currently, we have 1 IP from a server in our LAN, which seems to be having "malware problems, or some virus", because in the AV and Anti-Bot blades from the SmartConsole, the following is observed.

AB.png

AV.png

We want to be "sure" that ClusterXL is "blocking" this traffic from this server.

The "PREVENT" action can "give us that peace of mind" that the traffic is being blocked, or do we need to check something else in the Firewall?

These are some reference images.

AV3.pngAV2.jpg

I hope you can help me with any comments.

Thank you.

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

The listed connections have been prevented (blocked) as outlined in sk74060.

You should investigate the actual endpoint itself further in addition to other traffic logs for this host.

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor

i'm left with a bigger question based on your comment and the SK.

According to the logs I have shared, in my scenario, the traffic is being "blocked", or "allowed"????

Because I have assumed, by seeing "PREVENT", that the traffic from that IP in my DMZ, is being blocked, when it tries to reach that destination.

0 Kudos
_Val_
Admin
Admin

Logs are showing that attempts to resolve C&C IPs are blocked. 

0 Kudos
Matlu
Advisor

The profile I am using for this type of scenario is as follows:

AV4.png

Can we have the "peace of mind" that we have well configured the profile to prevent the server from attempting this type of connection?

Thank you for your comments.

0 Kudos
_Val_
Admin
Admin

You need to define "Peace of mind" first. In this profile, DNS requests to known and suspected C&Cs will be trapped and blocked. This does not give you 100% protection from malware. You still need to clean up the infected hosts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events