I've noticed an incomplate request to 111.111.111.111

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

I've noticed an incomplate request to 111.111.111.111

L3 Networker

Hi Guys,

On PAN's Monitor tab i've noticed that one of our hosts(user's computers) send periodically some packets to 111.111.111.111 and receive any packets.on Application tab it stays incomplete!what is the shit?Did anyone have the problem like this?what can i do for figuring this out? any idea?

Huge Thanks


Tigran

12 REPLIES 12

L0 Member

Hi Tigran,

Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete. More information can be found here:

Incomplete, Insufficient data and Not-applicable in the application field

In addition , for example virustotal.com can provide you more information about specific IP address:

https://www.virustotal.com/en/ip-address/111.111.111.111/information/

HI gbogojevic,


Thanks for info. I've got all what you said to me, but i don't understand how can i sole this problem? maybe i should scan that computer for viruses?what do you think?


Huge Thanks

Tigran

There seems to be a malware on the host.

Hi Tigran,


Yes, you should scan the local computer. In addition, you can apply security profile (antivirus, antispyware, vulnerability and URL profile)  to the security policy that matches traffic from that specific host.

Hi Panos,


I also think so. what kind of programs or ativiruses do you advise to use in such situations?


Thanks

ok, Understood

Thank you so much.

using security profiles for related traffic will be fine to secure.

You Still need to clean the host with a tool.

There are many 3rd party freeware tools you can find on the web.from details you can also see the vendors

https://www.virustotal.com/en/file/d2744a38a67fee26410d69d312d80d4802cc5112bfaedc50da8eb9ad7ee43fbe/...

Hi Panos,


I've observed https://www.virustotal.com/en/file/d2744a38a67fee26410d69d312d80d4802cc5112bfaedc50da8eb9ad7ee43fbe/...

this link and have a question.From Up come Antiviruses which Resulsts are in red colour, and then Antiviruses which results are in Green.

As i understand for example

Ad-AwareGen:Trojan.Heur.GM.050005010A

This Antivirus can't fixed this  Gen:Trojan.Heur.GM.050005010A trojan virus.





and Avast for example is up to date and can fix all viruses.


am i right?I use Avast, hope it'll help.


Huge thanks

That was an example for a file which makes traffic to 111.111.111.111

if it is green then it cannot detect that trojan

As you see top Detection ratio: 8 / 54

As i understand, i should use the one of the top 8 Antiviruses to detect that trojan, am i correct?

for that malware and for that update version yes.Maybe with a new update others will also see that file.Or maybe it is a false positive.

Ok, Thanks

  • 5417 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!