Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Viewing and Taking Action on Infected Hosts

View infected hosts by navigating to the Mitigation > Infected Hosts tab.

Infected hosts are systems where there is a high confidence that attackers have gained unauthorized access. When a host is compromised, the attacker can do several things to the computer, such as:

  • Send junk or spam email to attack other systems or distribute illegal software.

  • Collect personal information, such as passwords and account numbers.

  • Disable your computer’s security settings to allow easy access.

From the Mitigation > Infected Hosts tab, you can view infected hosts and set the status for the investigation and mitigation.

  1. When viewing the list of infected hosts, click the link in the State of Investigation column for the host and a pop-up window with a pulldown appears. You can select one of the following: Open, In Progress, Resolved - false positive, Resolved - fixed, and Resolved - ignored.

    Note:

    An infected host marked as resolved will remain in the Infected Hosts tab for 60 days, but it will have a threat level score of 0.

  2. Click the Submit button.

  3. To mitigate an infected host, locate the event in the Incidents tab. For each incident, you can view the Summary tab, which includes information about the threat, and the Downloads tab. From the Downloads tab, you can take the following actions:

    • Find on VirusTotal—VirusTotal is a web site that analyzes suspicious files and URLs to detect types of malware. You can also search for malware on this site by entering a URL, IP address, domain, or file hash.

    • Download PCAP trace—Click this link to download the pcap (packet capture) file data collected by the SRX Series Firewall. You are prompted to save the file. (Note that there is no collector dashboard for the SRX Series at this time.)

    • Download Sample—Click this link to download a password-protected zipped file containing the malware. The password for the zip file is the SHA256 hash of the malware exe file (64 characters long, alpha numeric string) shown in the Download tab for the file in question..

    • Download Behavior Log—Click this link to download a zip file containing log information about the malware. You are prompted to save the file.

    • Add to Whitelist—If you believe the file was incorrectly categorized as malware, click this link to add the file to the allowlist so that it will not be blocked.

    • Report False Positive—Click this link to report a false positive. You are prompted to create a ticket and to fill in information to explain the issue.

More Information about Infected Hosts

Infected hosts are listed as data feeds (also called information sources). The feed lists the IP address or IP subnet of the host along with a threat level, for example, xxx.xxx.xxx.133 and threat level 1. Once identified, ATP Appliance recommends an action and you can create security policies on the SRX Series Firewall to take enforcement actions on the inbound and outbound traffic on these infected hosts. ATP Appliance uses multiple indicators, such as a client attempting to contact a C&C server or a client attempting to download malware.

The process for determining infected hosts and acting on that determination is as follows:

Table 1: Identify Infected Hosts

Step

Description

1

A client with IP address 10.1.1.1 is located behind an SRX Series Firewall and requests a file to be downloaded from the Internet.

2

The SRX Series Firewall receives the file from the Internet and checks its security policies to see if any action needs to be taken before sending the file to the client.

3

The SRX Series Firewall has a ATP Appliance policy that requires files of the same type that was just downloaded to be sent to ATP Appliance for inspection.

This file is not cached in ATP Appliance, meaning this is the first time this specific file has been sent to ATP Appliance for inspection, so the SRX Series Firewall sends the file to the client while ATP Appliance performs an inspection.

4

In this example, the ATP Appliance analysis determines the file has a threat level greater than the threshold indicating that the file is malware, and sends this information back to the SRX Series Firewall.

The client is placed on the infected host list.

5

Using the infected hosts feed from ATP Appliance, the SRX Series Firewall blocks the client from accessing the Internet.

The client remains on the infected host list until an administrator performs further analysis and determines it is safe.