Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Compromised Hosts: More Information

Infected hosts are systems where there is a high confidence that attackers have gained unauthorized access. When a host is compromised, the attacker can do several things to the computer, such as:

Infected hosts are listed as IP address or IP subnet of the host along with a threat level, for example, xxx.xxx.xxx.133 and threat level 5. Once identified, Juniper ATP Cloud recommends an action and you can create security policies to take enforcement actions on the inbound and outbound traffic on these infected hosts. Juniper ATP Cloud uses multiple indicators, such as a client attempting to contact a C&C server or a client attempting to download malware, and a proprietary algorithm to determine the infected host threat level.

The data feed URL is set up automatically for you when you run the op script to configure your SRX Series device. See Downloading and Running the Juniper Advanced Threat Prevention Cloud Script.

Figure 20 shows one example of how devices are labelled as infected hosts by downloading malware.

Figure 20: Infected Host from Malware

Infected Host from Malware

Step

Description

1

A client with IP address 10.1.1.1 is located behind an SRX Series device and requests a file to be downloaded from the Internet.

2

The SRX Series device receives the file from the Internet and checks its security policies to see if any action needs to be taken before sending the file to the client.

3

The SRX Series device has a Juniper ATP Cloud policy that requires files of the same type that was just downloaded to be sent to the cloud for inspection.

This file is not cached in the cloud, meaning this is the first time this specific file has been sent to the cloud for inspection, so the SRX Series device sends the file to the client while the cloud performs an exhaustive inspection.

4

In this example, the cloud analysis determines the file has a threat level greater than the threshold indicating that the file is malware, and sends this information back to the SRX Series device.

The client is placed on the infected host list.

5

Juniper ATP Cloud blocks the client from accessing the Internet.

The client remains on the infected host list until an administrator performs further analysis and determines it is safe.

You can view the status of hosts from the Juniper ATP Cloud Web Portal by navigating to Monitor > Hosts. You can also use the show services security-intelligence statistics CLI command on the SRX Series device to view a quick report.

host> show services security-intelligence statistics 
Category Infected-Hosts: Profile pr2: Total processed sessions: 37 Permit sessions: 0 Block drop sessions: 35 Block close sessions: 2

An email can be configured in the Configure > Global Configuration > Infected Hosts window to alert users when a host’s threat level is at or above a specified threshold.

A malware and host status event syslog message is created in /var/log/messages. Junos OS supports forwarding logs using stream mode and event mode. For information on JSA and QRadar SIEM support, see Juniper ATP Cloud Supported Platforms Guide.

Note To use syslog, you must configure system logging for all SRX Series device within the same realm. For example, if REALM1 contains SRX1 and SRX2, both SRX1 and SRX2 must have system logging enabled. For more information on configuring system logging, see SRX Getting Started - System Logging.

The syslog record contains the following fields:

Field

Description

timestamp

Date and time the syslog entry is created.

tenant_id

Internal unique identifier.

sample_sha256

SHA-256 hash value of the downloaded file.

client_ip

Client IP address, supporting both IP4 and IP6.

mw_score

Malware score. This is an integer between 0-10.

mw_info

Malware name or brief description.

client_username

Username of person that downloaded the possible malware.

client_hostname

Hostname of device that downloaded the possible malware.

host_status

Host status. Currently it is only in_progress.

host_policy

Name of Juniper ATP Cloud policy that enforced this action.

threat_level

Host threat level. This is an integer between 0-10.

infected_host_status

Infected host status. It can be one of the following: Added, Cleared, Present, Absent.

reason

Reason for the log entry. It can be one of the following: Malware, CC, Manual.

details

Brief description of the entry reason, for example: malware analysis detected host downloaded a malicious_file with score 9, sha256 abc123

About Block Drop and Block Close

If you use the show services security-intelligence statistics CLI command, you’ll see block drop and block close sessions.

host> show services security-intelligence statistics 
Category Infected-Hosts: Profile pr2: Total processed sessions: 37 Permit sessions: 0 Block drop sessions: 35 Block close sessions: 2

You can configure either block drop or block close. If you choose block drop, then the SRX Series device silently drops the session’s packet and the session eventually times out. If block close is configured, the SRX Series devices sends a TCP RST packet to the client and server and the session is dropped immediately.

You can use block close, for example, to protect the resource of your client or server. It releases the client and server sockets immediately. If client or server resources is not a concern or you don’t want anyone to know there is a firewall located in the network, you can use block drop.

Block close is valid only for TCP traffic. Non-TCP traffic uses block drop even if you configure it block close. For example, if you configure infected hosts to block close:

...
set services security-intelligence profile pr2 rule r2 then action block close
...

when you send icmp traffic through the device, it is block dropped.

For more information on setting block drop and block close, see Configuring the SRX Series Devices to Block Infected Hosts.

Host Details

Click the host IP address on the hosts main page to view detailed information about current threats to the selected host by time frame. From the details page, you can also change the investigation status and the blocked status of the host. For more information on the host details, see the web UI tooltips and online help.

You can also use the show security dynamic-address category-name Infected-Hosts CLI command to view the infected host list.

host> show security dynamic-address category-name Infected-Hosts
No.      IP-start        IP-end          Feed             Address
1        x.0.0.7         x.0.0.7         Infected-Hosts/1 ID-21500011
2        x.0.0.10        x.0.0.10        Infected-Hosts/1 ID-21500011
3        x.0.0.21        x.0.0.21        Infected-Hosts/1 ID-21500011
4        x.0.0.11        x.0.0.11        Infected-Hosts/1 ID-21500012
5        x.0.0.12        x.0.0.12        Infected-Hosts/1 ID-21500012
6        x.0.0.22        x.0.0.22        Infected-Hosts/1 ID-21500012
7        x.0.0.6         x.0.0.6         Infected-Hosts/1 ID-21500013
8        x.0.0.9         x.0.0.9         Infected-Hosts/1 ID-21500013
9        x.0.0.13        x.0.0.13        Infected-Hosts/1 ID-21500013
10       x.0.0.23        x.0.0.23        Infected-Hosts/1 ID-21500013
11       x.0.0.14        x.0.0.14        Infected-Hosts/1 ID-21500014
12       x.0.0.24        x.0.0.24        Infected-Hosts/1 ID-21500014
13       x.0.0.1         x.0.0.1         Infected-Hosts/1 ID-21500015
14       x.0.0.2         x.0.0.2         Infected-Hosts/1 ID-21500015
15       x.0.0.3         x.0.0.3         Infected-Hosts/1 ID-21500015
16       x.0.0.4         x.0.0.4         Infected-Hosts/1 ID-21500015
17       x.0.0.5         x.0.0.5         Infected-Hosts/1 ID-21500015
18       x.0.0.15        x.0.0.15        Infected-Hosts/1 ID-21500015
19       x.0.0.25        x.0.0.25        Infected-Hosts/1 ID-21500015
20       x.0.0.16        x.0.0.16        Infected-Hosts/1 ID-21500016
21       x.0.0.26        x.0.0.26        Infected-Hosts/1 ID-21500016
22       x.0.0.17        x.0.0.17        Infected-Hosts/1 ID-21500017
23       x.0.0.27        x.0.0.27        Infected-Hosts/1 ID-21500017
24       x.0.0.18        x.0.0.18        Infected-Hosts/1 ID-21500018
25       x.0.0.28        x.0.0.28        Infected-Hosts/1 ID-21500018
26       x.0.0.19        x.0.0.19        Infected-Hosts/1 ID-21500019
27       x.0.0.29        x.0.0.29        Infected-Hosts/1 ID-21500019
28       x.0.0.8         x.0.0.8         Infected-Hosts/1 ID-2150001a
29       x.0.0.20        x.0.0.20        Infected-Hosts/1 ID-2150001a
30       x.0.0.30        x.0.0.30        Infected-Hosts/1 ID-2150001a

Total number of matching entries: 30

Automatic Lowering of Host Threat Level or Removal from Infected Hosts Feed

The threat level of a host may decrease automatically if there have been no security events for that host for the period of one month. The month in question is a rolling window of time relative to the current time. The number and type of events seen over that month determine the threat level score of the host. A host may automatically be removed from the infected hosts list by the same process, if all malware events fall outside of that month long window.

If the manual resolution of a host takes place and the threat level is set to zero, but another malware event occurs, the resolution event is ignored and the resulting threat score for the host once again takes into consideration all the suspicious events within the period of one month to determine the new threat score.

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit