11-03-2014 01:28 AM
Hi Guys,
On PAN's Monitor tab i've noticed that one of our hosts(user's computers) send periodically some packets to 111.111.111.111 and receive any packets.on Application tab it stays incomplete!what is the shit?Did anyone have the problem like this?what can i do for figuring this out? any idea?
Huge Thanks
Tigran
11-03-2014 01:34 AM
Hi Tigran,
Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.
So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete. More information can be found here:
Incomplete, Insufficient data and Not-applicable in the application field
In addition , for example virustotal.com can provide you more information about specific IP address:
https://www.virustotal.com/en/ip-address/111.111.111.111/information/
11-03-2014 01:41 AM
HI gbogojevic,
Thanks for info. I've got all what you said to me, but i don't understand how can i sole this problem? maybe i should scan that computer for viruses?what do you think?
Huge Thanks
Tigran
11-03-2014 01:42 AM
There seems to be a malware on the host.
11-03-2014 01:47 AM
Hi Tigran,
Yes, you should scan the local computer. In addition, you can apply security profile (antivirus, antispyware, vulnerability and URL profile) to the security policy that matches traffic from that specific host.
11-03-2014 01:49 AM
Hi Panos,
I also think so. what kind of programs or ativiruses do you advise to use in such situations?
Thanks
11-03-2014 01:51 AM
ok, Understood
Thank you so much.
11-03-2014 02:06 AM
using security profiles for related traffic will be fine to secure.
You Still need to clean the host with a tool.
There are many 3rd party freeware tools you can find on the web.from details you can also see the vendors
11-05-2014 04:28 AM
Hi Panos,
I've observed https://www.virustotal.com/en/file/d2744a38a67fee26410d69d312d80d4802cc5112bfaedc50da8eb9ad7ee43fbe/...
this link and have a question.From Up come Antiviruses which Resulsts are in red colour, and then Antiviruses which results are in Green.
As i understand for example
| Ad-Aware | Gen:Trojan.Heur.GM.050005010A |
This Antivirus can't fixed this Gen:Trojan.Heur.GM.050005010A trojan virus.
and Avast for example is up to date and can fix all viruses.
am i right?I use Avast, hope it'll help.
Huge thanks
11-05-2014 05:08 AM
That was an example for a file which makes traffic to 111.111.111.111
if it is green then it cannot detect that trojan
As you see top Detection ratio: 8 / 54
11-05-2014 05:13 AM
As i understand, i should use the one of the top 8 Antiviruses to detect that trojan, am i correct?
11-05-2014 05:21 AM
for that malware and for that update version yes.Maybe with a new update others will also see that file.Or maybe it is a false positive.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
