Virtual Secure Web Gateway

Hi;

I want to ask a question about webgateway.

I write a block policy for all spyware catogories. But for the Botnet C&C its only monitor and not block it.

Can you please give an advice to me.

Regards.

Cemile Denerel.

Cemile,

This is likely because that C&C traffic is only coming from a machine on your network we have cast as a 'Suspect' Bot, not 'Active' Bot.  Because C&C traffic is only an indicator of infection, but not 100% guaranteed to be an infection itself, we utilize a more elegant approach and monitor this traffic until we are sure it is Actively Infected.  The large majority of C&C IP addresses can also host legitimate traffic so blocking all of that traffic outright is not recommended.  Rest assured, once SWG detects actual Botnet payload from an internal machine and moves the host from Suspect to Active, it will automatically start blocking C&C activity from that host.

Please see this other post for full detail on the Botnet Detection Algorithm within SWG:

https://www-secure.symantec.com/connect/forums/botnets

Hi again.

Also its not block for active bot.

May be some mistake.

Thanks for your interest.

Cemile,

That being the case - that's a bit odd. 

I'd recommend contacting Support so they can look at your configuration and see if there are any errors.  Otherwise please feel free to contact me directly and I'll try to walk you through what may be happening.

Thanks Sergi.

This is only a PoC enviroment. When I opened a case and they what a screen shut from SWG. I prepeared it and I send it tommorrow. If you want I can also send it to you. The configuration screen shut.

Regards.

No need to send it to me as well, but if you could email me the Case # I can take a look from there.