Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Microsoft (and other) domains detected as a possible botnet C&C domain in ADS - false positive blacklist events

 

Information

 

Summary:

Some legitimate domains recently ended up on the blacklist that is being used by Flowmon ADS. These are false positives.

Environment:

Product: Flowmon ADS

Version: Any

Platform: Any

Question/Problem Description:

"It seems that a Microsoft corporation server was included in the feed intelligence as a known botnet domain."

The domains in question: msftncsi.com, checkpoint.com.

Since these domains are on the blacklist, every time a device tries to reach out to them, an ADS even is created.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: ADS uses an external blacklist service, so it is impossible to trace back how it got on the blacklist. In any case, false-positives are common in automated blacklists services, and providers regularly adjust them accordingly.
Resolution:

We whitelisted these domains - next time Flowmon devices reach out for blacklist updates, there shouldn't be anymore events regarding these domains. This should happen at most within 6 hours of this article being released.

If there is any other domain that seems legitimate in the ADS Blacklist event, please don't hesitate to reach out to our support so we can add it to the whitelist.

Workaround:  
Notes:  

Comments