Video Screencast Help

Botnet Detected but Not Blocked

Created: 03 Feb 2010 • Updated: 09 Aug 2010 | 5 comments
cemilebaşak's picture

Hi;

I want to ask a question about webgateway.

I write a block policy for all spyware catogories. But for the Botnet C&C its only monitor and not block it.

Can you please give an advice to me.

Regards.

Cemile Denerel.

Discussion Filed Under:

Comments 5 CommentsJump to latest comment

Sergi Isasi's picture

Cemile,

This is likely because that C&C traffic is only coming from a machine on your network we have cast as a 'Suspect' Bot, not 'Active' Bot.  Because C&C traffic is only an indicator of infection, but not 100% guaranteed to be an infection itself, we utilize a more elegant approach and monitor this traffic until we are sure it is Actively Infected.  The large majority of C&C IP addresses can also host legitimate traffic so blocking all of that traffic outright is not recommended.  Rest assured, once SWG detects actual Botnet payload from an internal machine and moves the host from Suspect to Active, it will automatically start blocking C&C activity from that host.

Please see this other post for full detail on the Botnet Detection Algorithm within SWG:

https://www-secure.symantec.com/connect/forums/bot...

Senior Product Manager - Web Gateway

cemilebaşak's picture

Hi again.

Also its not block for active bot.

May be some mistake.

Thanks for your interest.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Sergi Isasi's picture

Cemile,

That being the case - that's a bit odd. 

I'd recommend contacting Support so they can look at your configuration and see if there are any errors.  Otherwise please feel free to contact me directly and I'll try to walk you through what may be happening.

Senior Product Manager - Web Gateway

cemilebaşak's picture

Thanks Sergi.

This is only a PoC enviroment. When I opened a case and they what a screen shut from SWG. I prepeared it and I send it tommorrow. If you want I can also send it to you. The configuration screen shut.

Regards.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

Sergi Isasi's picture

No need to send it to me as well, but if you could email me the Case # I can take a look from there.

Senior Product Manager - Web Gateway