Getting CDR alert emails. Logs say almost nothing?

Options
ChipConnJohn
ChipConnJohn Posts: 45 image  Freshman Member
Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula First Comment Fifth Anniversary
in Security

Collaborative Detection & Response Alert

 

 

Malware found malicious activities of a client over threshold at 2022/02/08 19:13:30

Category: Malware

Security Event: Malware detected

Event counts: 2 in 60 minutes

Client information:

IP Address: 192.168.110.75

MAC address: e4:54:00:88:99

User: -
I logged into the ATP and the CDR log says nothing more.  What is it seeing?  Is there another log I can be looking at?

Thanks,
-John

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,568 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited February 2022
    Hi @ChipConnJohn,
    CDR detection include IDP, Anti-Malware, and URL Threat Filter. You should be able to see abnormal event log in "MONITOR > Log > View Log" when you filter keyword for detected address.
    e.g.

     
  • JBR007
    JBR007 Posts: 2
    First Comment
    Dear Zyxel_Cooldia,
    I have the same problem, the log entry of the possible found malware doesn't say anything.
    In the above example which you have added where did you get the IP-address which you entered into the Keyword field? As you can see in my printscreen the only address is my local PC (192.168.2.37).
    If I do what you have suggested I don't see anything like a malware in the logfile of my FW.
    Why can't this log-entry show directly which malware was found (name or location or any other valuable information)?

  • JBR007
    JBR007 Posts: 2
    First Comment
    Dear Zyxel_Cooldia,
    I have the same problem, the log entry of the possible found malware doesn't say anything.
    In the above example which you have added where did you get the IP-address which you entered into the Keyword field? As you can see in my printscreen the only address is my local PC (192.168.2.37).
    If I do what you have suggested I don't see anything like a malware in the logfile of my FW.
    Why can't this log-entry show directly which malware was found (name or location or any other valuable information)?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,568 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @JBR007,
    CDR event is trigger by Web Threat, Malware, and IPS.The notification mail is alert to firewall admin. 
    For further detailed information, you can check from "MONITOR > Log > View Log"
    However, the log only keep for 2048, we would suggest to use SecuReporter for security event analysis.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)