Getting Started with Anti-Bot

Enabling the Anti-Bot Software Blade

Enable the Anti-Bot Software Blade on a Security Gateway.

To enable the Anti-Bot Software Blade:

1. In SmartDashboard, right-click the gateway object and select Edit.

   The Gateway Properties window opens.

2. In Network Security tab, select Anti-Bot.

   The Anti-Bot and Anti-Virus First Time Activation window opens.

3. Select one of the activation mode options:
   • According to the Anti-Bot and Anti-Virus policy - Enable the Anti-Bot Software Blade and use the Anti-Bot settings of the Threat Prevention profile in the Threat Prevention policy.
   • Detect only - Packets are allowed, but the traffic is logged according to the settings in the Threat Prevention Rule Base.
4. Click OK.
5. Install the Threat Prevention policy.

Creating an Anti-Bot Policy

Create and manage the policy for the Anti-Bot Software Blade in the Threat Prevention tab of SmartDashboard. The policy shows the profiles set for network objects or locations defined as a protected scope.

• The Overview pane shows a high-level summary of your Anti-Bot activity and traffic.
• The Policy pane shows the rules and exceptions for the Anti-Bot policy. Click the Add Rule button to get started.
• To learn about bots and protections, look through the Threat Wiki.

Creating Rules

Here are examples of how to create different types of Anti-Bot rules.

Blocking Bots

Scenario: I want to block bots in my organization. How can I do this?

To block bots in your organization:

1. In the Gateway Properties page, select the Anti-Bot Software Blade.

   The First Time Activation window opens.

2. Select According to the Anti-Bot and Anti-Virus policy and click OK.
3. Select Threat Prevention > Policy.
4. Click Add Rule.

   A new rule is added to the Threat Prevention policy. The Software Blade applies the first rule that matches the traffic.

5. Make a rule that includes these components:
   • Name - Give the rule a name such as Block Bot Activity.
   • Protected Scope - The list of network objects you want to protect. In this example, the Any network object is used.
   • Action - The Profile that contains the protection settings you want. The default profile is Recommended_Profile.
   • Track - The type of log you want to get when detecting malware on this scope. In this example, keep Log and also select Packet Capture to capture the packets of malicious activity. In SmartView Tracker, you will then be able to view the actual packets.
   • Install On - Keep it as All or choose specified gateways to install the rule on.
6. Install the Threat Prevention policy.

Monitoring Bot Activity

Scenario: I want to monitor bot activity in my organization without blocking traffic at all. How can I do this?

To monitor all bot activity:

1. In the Threat Prevention tab of SmartDashboard, open the Policy pane.
2. Click one of the Add Rule toolbar buttons to add the rule in the position that you choose in the Rule Base. The first rule matched is applied.
3. Give the rule a name, such as Monitor Bot Activity.
4. In Protected Scope, do not change from Any. The rule applies to all traffic in the organization.
5. Right-click in the Action cell and select New Profile.
6. In the New Profile window, set all confidence level settings to Detect.
7. Set Performance Impact to Medium or lower.

   This profile will detect attacks with low, medium or high confidence and have a medium or lower performance impact.

8. Name the profile.
9. Click OK.

Disabling a Protection on a Specified Server

Scenario: The protection Backdoor.Win32.Agent.AH detects malware on a server (Server_1). How can I disable this protection for this server only?

To add an exception to a rule:

1. In the Threat Prevention tab of SmartDashboard, open the Policy pane.
2. Click the rule that contains the scope of Server_1.
3. Click the Add Exception toolbar button to add the exception under the rule. The first exception matched is applied.
4. Make a rule exception that includes these components:
   • Name - Give the exception a name such as Exclude.
   • Protected Scope - Change it to Server_1 so that it applies to all detections on the server.
   • Protection/Site/File/Indicator - Click + in the cell to open the Add Objects window.
5. Select items to exclude:
   • Protection - Predefined malware signature
   • Site - Web site, URL, or category of sites
   • File - Filenames

     Note - To add EICAR files as exceptions, you must add them as Whitelist Files. Adding EICAR files through Exceptions in Policy rules will still get them blocked.

6. Click OK.
7. In the rule, leave defaults for Action (Detect), Track (Log), and Install On (All).

Installing the Policy

The Anti-Bot, Threat Emulation and Anti-Virus Software Blades have a dedicated policy. You can install this policy installation separately from the policy installation of the other Software Blades.

You can update the Anti-Bot, Threat Emulation and Anti-Virus Rule Base to give immediate coverage for new malware threats. Install only the Threat Prevention policy to minimize the impact on the Security Gateways.

To install the Anti-Bot and Anti-Virus policy:

1. From the Threat Prevention tab > Policy pane, click Install Policy.
2. Select the relevant options:
   • Install Threat Prevention Policy on all gateways - Installs the policy on all Security Gateways that have Anti-Bot, Threat Emulation, and Anti-Virus enabled.
   • Install Threat Prevention Policy on selected gateways - Select the applicable Security Gateways.
   • Install on each selected gateway independently - Install the policy on the selected Security Gateways without reference to the other targets. A failure to install on one Security Gateway does not affect policy installation on other gateways.

     If the gateway is a member of a cluster, install the policy on all the members. The Security Management Server makes sure that it can install the policy on all the members before it installs the policy on one of them. If the policy cannot be installed on one of the members, policy installation fails for all of them.

   • Install on all selected gateways, if it fails do not install on gateways of the same version - Install the policy on all installation targets. If the policy fails to install on one of the Security Gateways, the policy is not installed on other targets of the same version.
3. Click OK.