?
Solved

Sonicwall PRO 2040

Posted on 2012-09-06
8
Medium Priority
?
366 Views
Last Modified: 2012-11-29
Hi All,

We have an infected PC somewhere on the network, how do I see which one it is on the Sonicwall console? Is there a way to check this?

Thanks
Goraek
0
Comment
Question by:goraek
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 34

Expert Comment

by:Michael-Best
ID: 38371310
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38371340
Dear,

if you want to find infected computer in network you should see your antivirus server,,, if your infected computer trying to brute force you may find logs in your DC...
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 38371347
If you have subscribed to a malware (virus) scanning service for your SonicWALL, review the logs.

However, if you have an enterprise security suite application, check the console of that application for infections.

The firewall only sees traffic passing through.  Even if the infected computer is passing traffic through the firewall as a result of the infection (such as spam) the traffic may not have anything detectable as an infection, per se.

Whereas your enterprise security suite receives alerts from all your internal stations (that have the suite installed, hopefully nearly all of them).  THIS is the place to go first for the task you describe.  The firewall is limited in its scope for this issue.

If you don't have such an application and you are large enough that finding the infected computer is a challenge, you need an enterprise solution.

 - Tom
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 2

Author Comment

by:goraek
ID: 38375143
Thanks all.

The problem is that one of the devices on the network is generating a lot of email spam to the internet.

Would Sonicwall be able to tell me which PC or device passing alot of traffic to the outside world?
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 38375181
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 38375248
That is a different question or issue.

For the firewalls I manage, where there is an internal mail server, I restrict all outbound smtp traffic to that server.

This Does Two Things:

1. Most Importantly, Stops Internal Spam Bots in Their Tracks

The best part of that is that your valid mail server is MUCH less likely to be listed on Block Lists!

2. Your firewall logs the filtered SMTP attempts

The log will then have the IP of the "Bot" (infected) station, even if your anti-malware products do not.  AND, this is before having to subscribe to any services from SonicWALL.  AND, even if you do have the subscription, this will help block bots that may not otherwise be blocked by the service ("new in the wild").I would employ this rule immediately to staunch the flow (hopefully before you get listed on a block list or more block lists) and highlight the bot at the same time.

BTW, for making such a rule I would define an Address Object for the mail server.  It makes the firewall somewhat self documenting and makes changes much easier.  If you have multiple internal mail servers (such as an Exchange server a mail filter server and a voice system that sends SMTP, I would make an address object for each and then a group address object.

When making the rule use either the group address object or the individual mail server address object as the source in the LAN and the destination being all on the WAN side.

- Tom
0
 
LVL 16

Accepted Solution

by:
Syed_M_Usman earned 1500 total points
ID: 38377226
Dear,

if you want to drill down to infected host you can stop SMTP traffic for sometime with below rule,

Both Rule are from LAN to WAN...

Action: DENY
Service: SMTP (Send email)
Source: ANY
Destination: Any
Users Allowed: All, ok
Above Rule will prevent any fake user/email server sending email outside.
Enable Packet monitor

Do you have exchange server in your office? if yes why dony you restrict smtp port for exchange only?
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 38643362
thanks for the info,
but we managed to get analyzer going, all goodd
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question