Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Compromised Hosts: More Information

Infected hosts are systems where there is a high confidence that attackers have gained unauthorized access. When a host is compromised, the attacker can do several things to the computer, such as:

  • Send junk or spam e-mail to attack other systems or distribute illegal software.

  • Collect personal information, such as passwords and account numbers.

  • Disable your computer’s security settings to allow easy access.

Infected hosts are listed as IP address or IP subnet of the host along with a threat level, for example, and threat level 5. Once identified, Juniper ATP Cloud recommends an action and you can create security policies to take enforcement actions on the inbound and outbound traffic on these infected hosts. Juniper ATP Cloud uses multiple indicators, such as a client attempting to contact a C&C server or a client attempting to download malware, and a proprietary algorithm to determine the infected host threat level.

The data feed URL is set up automatically for you when you run the op script to configure your SRX Series Firewall. See Download and Run the Juniper Advanced Threat Prevention Cloud Script.

Figure 1 shows one example of how devices are labelled as infected hosts by downloading malware.

Figure 1: Infected Host from MalwareInfected Host from Malware




A client with IP address is located behind an SRX Series Firewall and requests a file to be downloaded from the Internet.


The SRX Series Firewall receives the file from the Internet and checks its security policies to see if any action needs to be taken before sending the file to the client.


The SRX Series Firewall has a Juniper ATP Cloud policy that requires files of the same type that was just downloaded to be sent to the cloud for inspection.

This file is not cached in the cloud, meaning this is the first time this specific file has been sent to the cloud for inspection, so the SRX Series Firewall sends the file to the client while the cloud performs an exhaustive inspection.


In this example, the cloud analysis determines the file has a threat level greater than the threshold indicating that the file is malware, and sends this information back to the SRX Series Firewall.

The client is placed on the infected host list.


Juniper ATP Cloud blocks the client from accessing the Internet.

The client remains on the infected host list until an administrator performs further analysis and determines it is safe.

You can view the status of hosts from the Juniper ATP Cloud Web Portal by navigating to Monitor > Hosts. You can also use the show services security-intelligence statistics CLI command on the SRX Series Firewall to view a quick report.

An email can be configured in the Configure > Infected Hosts window to alert users when a host’s threat level is at or above a specified threshold.

A malware and host status event syslog message is created in /var/log/messages. Junos OS supports forwarding logs using stream mode and event mode. For information on JSA and QRadar SIEM support, see JSA and QRadar SIEM Support Table.


To use syslog, you must configure system logging for all SRX Series Firewall within the same realm. For example, if REALM1 contains SRX1 and SRX2, both SRX1 and SRX2 must have system logging enabled. For more information on configuring system logging, see SRX Getting Started - System Logging.

  • Malware event syslog using stream mode.

  • Host status event syslog using stream mode.

  • Malware event syslog using event mode.

  • Host status event syslog using event mode.

The syslog record contains the following fields:




Date and time the syslog entry is created.


Internal unique identifier.


SHA-256 hash value of the downloaded file.


Client IP address, supporting both IP4 and IP6.


Malware score. This is an integer between 0-10.


Malware name or brief description.


Username of person that downloaded the possible malware.


Hostname of device that downloaded the possible malware.


Host status. Currently it is only in_progress.


Name of Juniper ATP Cloud policy that enforced this action.


Host threat level. This is an integer between 0-10.


Infected host status. It can be one of the following: Added, Cleared, Present, Absent.


Reason for the log entry. It can be one of the following: Malware, CC, Manual.


Brief description of the entry reason, for example: malware analysis detected host downloaded a malicious_file with score 9, sha256 abc123

About Block Drop and Block Close

If you use the show services security-intelligence statistics CLI command, you’ll see block drop and block close sessions.

You can configure either block drop or block close. If you choose block drop, then the SRX Series Firewall silently drops the session’s packet and the session eventually times out. If block close is configured, the SRX Series Firewalls sends a TCP RST packet to the client and server and the session is dropped immediately.

You can use block close, for example, to protect the resource of your client or server. It releases the client and server sockets immediately. If client or server resources is not a concern or you don’t want anyone to know there is a firewall located in the network, you can use block drop.

Block close is valid only for TCP traffic. Non-TCP traffic uses block drop even if you configure it block close. For example, if you configure infected hosts to block close:

when you send icmp traffic through the device, it is block dropped.

For more information on setting block drop and block close, see Configuring the SRX Series Firewalls to Block Infected Hosts.

Host Details

Click the host IP address on the hosts main page to view detailed information about current threats to the selected host by time frame. From the details page, you can also change the investigation status and the blocked status of the host. For more information on the host details, see the web UI tooltips and online help.

You can also use the show security dynamic-address category-name Infected-Hosts CLI command to view the infected host list.

Automatic Lowering of Host Threat Level or Removal from Infected Hosts Feed

The threat level of a host may decrease automatically if there have been no security events for that host for the period of one month. The month in question is a rolling window of time relative to the current time. The number and type of events seen over that month determine the threat level score of the host. A host may automatically be removed from the infected hosts list by the same process, if all malware events fall outside of that month long window.

If the manual resolution of a host takes place and the threat level is set to zero, but another malware event occurs, the resolution event is ignored and the resulting threat score for the host once again takes into consideration all the suspicious events within the period of one month to determine the new threat score.