Appliance Configuration
Check Point 1400 Appliances Centrally Managed Administration Guide R77.20.85 | 111
Viewing Infected Devices
In the Infected Devices page you can see information about infected devices and servers in the
internal networks. You can also directly create an exception rule for a specified protection related
to an infected or possibly infected device or server.
The Infected Devices table shows this information for each entry:
• Icon - Shows icons for the different classifications of infected devices and servers:
Infected device or server - When the Anti-Bot blade detects suspicious
communication between the host or server and an external Command
& Control center due to a specified triggered protection.
Possibly infected device or server - When the Anti-Virus blade detects
an activity that
may
result in host or server infection. For example:
• When you browse to an infected or a potentially unsafe Internet
site, there is a possibility that malware was installed.
•
When you download an infected file, there is a possibility that the
file was opened or triggered and infected the host or server.
• Object name - Shows the object name if the host or server was configured as a network object.
• IP/MAC address
• Device/User Name - Shows a device or user name if the information is available to the Check
Point Appliance through DHCP or User Awareness.
• Incident type - Shows the detected incident type:
• Found bot activity
• Downloaded a malware
• Accessed a site known to contain malware
• Severity - Shows the severity of the malware:
• Low
• Medium
• High
• Critical
• Protection name - Shows the Anti-Bot or Anti-Virus protection name.
• Last incident - The date of the last incident.
• Incidents - Shows the total number of incidents on the device or server in the last month. If
there is a large amount of records, the time frame may be shorter.
To filter the infected devices list:
1.
Click Filter.
Select one of the filter options:
• Servers only - Shows only machines that were identified as servers (and not any
machine/device). Servers are defined as server objects in the system from the Access
Policy > Servers page.
• Possibly infected only - Shows only devices or servers classified as possibly infected.
To Next Page
Loading...
