Hosts that Downloaded Malicious Files (Attacks Allowed By Policy)

Description

In the main Cyber Attack View, in the Attacks Allowed By Policy section, double-click Hosts that Downloaded Malicious Files.

Note - Select the desired report period in the top left corner of this view. For example, Last 7 Days, This Month, and so on.

This drill-down view shows a summary of attacks that used malicious files.

This drill-down view shows all the malicious files caught by Check Point Threat Prevention's multi-layer protections.

Drill-Down View

This is an obfuscated example of the drill-down view:

To see the applicable logs (the next drill-down level), double-click on a value.

Available Widgets

Widgets available in the drill-down view:

Widget	Type	Description
Malicious Downloaded Files	Infographic	Shows: The number of hosts that downloaded malicious files. The number of downloaded malicious files.
Malware Families	Chart	Shows the top downloaded malware families (based on Check Point ThreatWiki and Check Point Research). Different colors show different families.
Top Users that Downloaded Malicious Files	Chart	Shows hosts that downloaded the largest number of malicious files. The chart is sorted by the number of downloaded malicious files.
Top Downloaded Malicious Files	Chart	Shows the number of downloads for the top malicious files. The chart is sorted by the number of appearances of downloaded malicious files.
Detected Malicious Files	Table	Shows the downloaded malicious files. Shows: Hosts that downloaded malicious files The name of the protection that detected the malicious files The name of the malicious file The type of the malicious file The MD5 of the malicious file Malicious Domain
Timeline of Downloaded Malicious Files (Top 10 Protections)	Timeline	Shows the number of logs for downloaded malicious files. Different colors show different files.

Widget Query

In addition to the Default Query, the widget runs this query:

Custom Filter = ((blade:"threat emulation") OR (blade:"anti-virus" AND "signature") OR (blade:ips AND (("Adobe Reader Violation" OR "Content Protection Violation" OR "Instant Messenger" OR "Adobe Flash Protection Violation"))))

Best Practices

Best practices against malicious files:

In the Attacks Allowed By Policy section, click Hosts that Downloaded Malicious Files.
1. In the Malicious Downloaded Files widget, double-click the Hosts Were Detected Downloading Malicious Files infographic.
2. Locate events from the IPS Software Blade only.
3. Examine the IPS protections currently configured in Detect mode and decide if you can change them to Prevent mode.
  
  To configure IPS protections in SmartConsole: From the left navigation panel, click Security Policies> click the Threat Prevention section > at the bottom, click IPS Protections > edit the applicable IPS protection > install the Threat Prevention Policy.
In the Threat Prevention logs from the Security Gateway, examine the Description field (see Log Fields) to see if the Anti-Virus Software Blade work is in the Background or Hold mode.

In addition, read sk74120: Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode.