Viewing Infected Devices

In the Infected Devices page you can see information about infected devices and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected device or server.

The Infected Devices table shows this information for each entry:

Icon - Shows icons for the different classifications of infected devices and servers.

Description

Host Icon

Server Icon

Infected device or server - When the Anti-Bot blade detects suspicious communication between the host or server and an external Command & Control center due to a specified triggered protection

Possibly infected device or server - When the Anti-Virus blade detects an activity that may result in host or server infection. For example:

When you browse to an infected or a potentially unsafe Internet site, there is a possibility that malware was installed.
When you download an infected file, there is a possibility that the file was opened or triggered and infected the host or server.

Object name - Shows the object name if the host or server was configured as a network object.
IP/MAC address
Device/User Name - Shows a device or user name if the information is available to the Check Point Appliance through DHCP or User Awareness.
Incident type - Shows the detected incident type:
- Found bot activity
- Downloaded a malware
- Accessed a site known to contain malware
Severity - Shows the severity of the malware:
- Low
- Medium
- High
- Critical
Protection name - Shows the Anti-Bot or Anti-Virus protection name.
Last incident - The date of the last incident.
Incidents - Shows the total number of incidents on the device or server in the last month. If there is a large amount of records, the time frame may be shorter.

To filter the infected devices list:

Click Filter.
Select one of the filter options:
- Servers only - Shows only machines that were identified as servers (and not any machine/device). Servers are defined as server objects in the system from the Access Policy > Servers page.
- Possibly infected only - Shows only devices or servers classified as possibly infected.
- Infected only - Shows only devices or servers classified as infected.
- High and above severity only - Shows devices and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.

To add a malware exception rule for a specified protection:

Select the list entry that contains the protection for which to create an exception.
Click Add Protection Exception.
Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.
- Scope - Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.
  If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.
  For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.
  
  Note - DMZ is not supported in 1550 appliances.
- Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive. See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
- Log - Select the tracking option: None, Log, or Alert. Logs are shown on the Logs & Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs.
Optional - Add a comment in the Write a comment field.
Click Apply.

The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page.

To view the logs of a specified entry:

Select the list entry for which to view logs.
Click Logs.

The Logs & Monitoring > Security Logs page opens and shows the logs applicable to the IP/MAC address.

Note - This page is available from the Home and Logs & Monitoring tabs.