Virtual Secure Web Gateway

We have implemented the Symantec Web Gateway (virtual edition) in a monitoring only capacity using a span port.  We have notice a large number of Active Bot detections coming from internal IP Addresses.  When we visit these computers, we are unable to detect any sort of infection whatsoever.  We have used the tools available from Symantec (SEP 12.1, Power Eraser, SERT) as well as tools from other vendors and can't find anything wrong.  Is it possible that the Active Bot detections are due to legitimate IP/Port scanning from things like Windows 7 / Mac OS X Network Discovery, Media Sharing, iTunes, etc? 

Need help.  This is driving us crazy. 

Thank you,

-Craig

Have you turned off IPv6 and UPnP/network discocery? Are you seeing anything in the Traffic log of the SEP fw? You may want to try a third party tool such as malwarebytes to see if it picks anything up.

I know these protocols are some times flagged by the SEP fw/IPS

The botnet detection is based on a number of different factors. Based on your comment, it appears that the clients are in fact listed as active. If they are in fact active, that means that we have positively identified botnet traffic. You may want to review the report and see the reason it was marked as active as well as any botnet IPs they are communicating to. This should help you determine the nature of the traffic we are seeing. I have seen this casued by an NTP server in our botnet IP list and the clients were simply performing NTP syncronizations to this server.