Cemile,
This is likely because that C&C traffic is only coming from a machine on your network we have cast as a 'Suspect' Bot, not 'Active' Bot. Because C&C traffic is only an
indicator of infection, but not 100% guaranteed to be an infection itself, we utilize a more elegant approach and monitor this traffic until we are sure it is Actively Infected. The large majority of C&C IP addresses can also host legitimate traffic so blocking all of that traffic outright is not recommended. Rest assured, once SWG detects actual Botnet payload from an internal machine and moves the host from
Suspect to
Active, it will automatically start blocking C&C activity from that host.
Please see this other post for full detail on the Botnet Detection Algorithm within SWG:
https://www-secure.symantec.com/connect/forums/botnets