Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

Anti-Bot and Anti-Virus in SmartView Tracker

Related Topics

Log Sessions

Anti-Bot and Anti-Virus Logs

Viewing Logs

Viewing Packet Capture Data

Using Predefined Queries

Log Sessions

Gateway traffic generates a large amount of activity. To make sure that the amount of logs is manageable, by default, logs are consolidated by session. A session is a period that starts when a user first accesses an application or site. During a session, the gateway records one log for each application or site that a user accesses. All activity that the user does within the session is included in the log.

To see the number of connections made during a session, see the Suppressed Logs field of the log in SmartView Tracker.

In SmartEvent the number of connections during the session is in the Total Connections field of the Event Details.

Session duration for all connections that are prevented or detected in the Rule Base, is by default 10 hours. You can change this in SmartDashboard from the Anti-Bot and Anti-Virus tab > Advanced > Engine Settings > Session Timeout.

Anti-Bot and Anti-Virus Logs

Logs from Anti-Bot and Anti-Virus are shown in SmartView Tracker. A log is generated if you set the Track option in a Rule Base rule to Log.

Viewing Logs

To open SmartView Tracker do one of these:

  • Click Start > Check Point > SmartView Tracker.
  • From the Anti-Bot and Anti-Virus tab > Navigation Tree > Track Logs link.
  • From the Anti-Bot and Anti-Virus tab > Overview > Statistics > Logs link.
  • From the SmartDashboard toolbar of any SmartConsole application, select Window > SmartView Tracker or press Control + Shift + T.

Updating the Anti-Bot and Anti-Virus Rule Base

In some cases, after evaluating a log, it may be necessary to update a rule or rule exception in the SmartDashboard Rule Base. You can do this directly from within SmartView Tracker.

To update a rule in the Anti-Bot and Anti-Virus Rule Base:

  1. Right-click the log entry.
  2. Select Go to Rule.

    SmartDashboard opens showing the related rule in the Anti-Bot and Anti-Virus Rule Base.

  3. Make related changes.
  4. Click Install Policy to install the dedicated Anti-Bot and Anti-Virus policy.

To update a rule exception in the Anti-Bot and Anti-Virus Rule Base:

  1. Right-click the log entry.
  2. Select Add Exception to the Rule.

    SmartDashboard opens and shows an Add Exception window in the Anti-Bot and Anti-Virus Rule Base. These details are shown:

    • Protection - The name of the protection. Details are taken from the ThreatCloud repository or, if there is no connectivity, from the log.
    • Scope - The scope is taken from the log. If there is no related host object, an object is created automatically after you click OK. Click the plus sign to add additional objects.
    • Install On - Shows All by default. You can use the plus sign to add gateways.
  3. Select an Exception Scope option:
    • Apply Exception to rule number X - If you want the exception to apply only to the related rule.
    • Apply Exception to all rules - If you want the exception to apply to all rules. The exception is added to the Exception Groups > Global Exceptions pane.
  4. Click OK.

    The exception is added to the Rule Base. The Action is set to Detect by default. Change if necessary.

  5. Click Install Policy to install the dedicated Anti-Bot and Anti-Virus policy.

Accessing the Threat Wiki

You can open the Threat Wiki from within SmartView Tracker to get more information about a specified protection.

To open the Threat Wiki:

  • Click the malware protection link in the Protection Name field of a log record.

Viewing Packet Capture Data

If you set a rule with the Packet Capture track option, you can see the captures in SmartView Tracker.

To see packet captures in SmartView Tracker:

  1. Locate the log entry with the packet capture.
  2. Right-click the entry and select View packet capture.
  3. Select Internal Viewer and click OK.

    The packet is shown in the Viewer Output window.

    You can also use a third-party capture application by selecting Choose Program and entering the application in the Program Name field.

Using Predefined Queries

There are multiple predefined queries in Network and Endpoint Queries > Predefined > Network Security Blades > Anti-Bot & Anti-Virus. You can filter the queries to focus on logs of interest.

  • Anti-Bot - Shows Anti-Bot traffic (prevented and detected connections).
  • Anti-Virus - Shows Anti-Virus traffic (prevented and detected connections).
  • Blocked Incidents - Shows all Anti-Bot and Anti-Virus blocked (prevented) traffic.
  • All - Shows all Anti-Bot and Anti-Virus traffic, including all prevented and detected connections.
 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print