Viewing Infected Devices

In the Infected Devices page you can see information about infected devices and servers in the internal networks. You can also directly create an exception rule for a specified protection related to an infected or possibly infected device or server.

You can access this page from the Threat Prevention tab > Threat Prevention section, or from the Logs and Monitoring tab > Status section.

The Infected Devices table shows this information for each entry:

Icon - Shows icons for the different classifications of infected devices and servers.

Description

Host Icon

Server Icon

Infected device or server - When the Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. blade detects suspicious communication between the host or server and an external Command & Control center due to a specified triggered protection

Possibly infected device or server - When the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. blade detects an activity that may result in host or server infection. For example:

When you browse to an infected or a potentially unsafe Internet site, there is a possibility that malware was installed.
When you download an infected file, there is a possibility that the file was opened or triggered and infected the host or server.

Object name - Shows the object name if the host or server was configured as a network object.
IP/MAC address - Shows the IP and MAC address of the infected device.
Device/User Name - Shows a device or user name if the information is available to the appliance through DHCP or User Awareness A Check Point software blade designed to associate users to IP addresses for logging and control purposes..
Incident type - Shows the detected incident type:
- Found bot activity
- Downloaded a malware
- Accessed a site known to contain malware
Severity - Shows the severity of the malware:
- Low
- Medium
- High
- Critical
Protection name - Shows the Anti-Bot or Anti-Virus protection name.
Last incident - The date of the last incident.
Incidents - Shows the total number of incidents on the device or server in the last month. If there is a large amount of records, the time frame may be shorter.

To add a malware exception rule for a specified protection

Select the list entry that contains the protection for which to create an exception.
Click Add Protection Exception.

Click the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields.

Scope - Select either Any or a specific scope from the list. If necessary, you can create a New network object, network object group, or local user.

If it is necessary to negate a specified scope, select the scope and select the Any Scope except checkbox.

For example, if the scope of the exception should include all scopes except for the DMZ network, select DMZ network and select the Any Scope except checkbox.

Note - DMZ is not supported in 1530 / 1550 appliances.

Action - Select the applicable action to enforce on the matching traffic: Ask, Prevent, Detect or Inactive.

See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.
Log - Select the tracking option: None, Log, or Alert.

Logs are shown on the Logs & Monitoring > Security Logs page.

An alert is a flag on a log. You can use it to filter logs.

Optional - Add a comment in the Write a comment field.
Click Apply

The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page.