The Anti-Bot Component

There are two emerging trends in today's threat landscape:

  • A profit-driven cybercrime industry that uses different tools to meet its goals. This industry includes cyber-criminals, malware operators, tool providers, coders, and affiliate programs. Their "products" can be easily ordered online from numerous sites (for example, do-it-yourself malware kits, spam sending, data theft, and denial of service attacks) and organizations are finding it difficult to fight off these attacks.

  • Ideological and state driven attacks that target people or organizations to promote a political cause or carry out a cyber-warfare campaign.

Both trends are driven by bot attacks.

A bot is malicious software that can invade your computer. There are many infection methods. These include opening attachments that exploit a vulnerability and accessing a website that results in a malicious download.

When a bot infects a computer, it:

  • Takes control over the computer and neutralizes its Anti-Virus defenses. Bots are difficult to detect because they hide within your computer and change the way they appear to the Anti-Virus software.

  • Connects to a Command and Control (C&C) center for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to execute illegal activities without your knowledge. These activities include:

    • Data theft (personal, financial, intellectual property, organizational)

    • Sending SPAM

    • Attacking resources (Denial of Service Attacks)

    • Bandwidth consumption that affects productivity

In many cases, a single bot can create multiple threats. Bots are often used as tools in attacks known as Advanced Persistent Threats (APTs) where cyber criminals pinpoint individuals or organizations for attack. A botnet is a collection of compromised computers.

The Check Point Anti-Bot component detects and prevents these bot threats

The Anti-Bot component:

  • Uses the ThreatCloud repository to receive updates, and queries the repository for classification of unidentified IP, URL, and DNS resources.
  • Prevents damage by blocking bot communication to C&C sites and makes sure that no sensitive information is stolen or sent out of the organization.

The Endpoint Anti-Bot component uses these procedures to identify bot infected computers:

  • Identify the C&C addresses used by criminals to control bots

  • These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.

The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.

Configuring Anti-Bot

There are three configuration options for the Anti-Bot protection:

  • Prevent - Blocks bots.

  • Detect - Logs information about bots, but does not block them.

  • Off - Ignores bots (does not prevent or detect them)

Advanced Anti-Bot Settings:

  • Background Protection Mode:

    • Background - This is the default mode. Connections are allowed while the bots are checked in the background.

    • Hold - Connections are blocked until the bot check is complete.

  • Hours to suppress logs for same bot protection - To minimize the size of the Anti-Bot logs, actions for the same bot are only logged one time per hour. The default value is 1 hour. To change the default log interval , select a number of hours.

  • Days to remove bot reporting after - If a bot does not connect to its command and control server after the selected number of days, the client stops reporting that it is infected. The default value is 3 days.

  • Confidence Level - The confidence level is how sure Endpoint Security is that an activity is malicious. High confidence means that it is almost certain that the activity is malicious. Medium confidence means that it is very likely that the activity is malicious. You can manually change the settings for each confidence level. Select the action for High confidence, medium confidence and low confidence bots:

    • Prevent - Blocks bots

    • Detect - Logs information about bots, but does not block them.

    • Off - Ignores bots (does not prevent or detect them).

  • DNS Inspection Mode - DNS Inspection Mode is a security feature that monitors and inspects all websites your device attempts to access, ensuring protection against malicious or harmful sites. This feature is turned on by default, even before any Security Policies are applied to the device. Once you manually configure DNS Inspection Mode (turning it on or off), your settings will override the default settings from the management server. This ensures your device is protected immediately, allowing you to customize the settings later.