Net under Attack

I have a throuble, Bitdefender Gravityzone EDR is detecting many correlated incidents, with a high score of impact in my organization. We are seeing that Bitdefender is receiving a wave of attacks from two domains. We are seeing that queries are made to several domains from 98 computers on the network, the actions have a high criticality score and according to what we see, different attack techniques are shown, how can I configure the Bitdefender Gravityzone Firewall to reject the connections and block unauthorized ports? // Is there a manual for the Firewall that comes with the gravityzone solutions?

I try to configure de firewall as show to follow:

¿There configuration is correct?

I leave some images for reference and see if any of you can guide me on what to do.

Impact or severity of event

Thank you.

Comments

  • Hello.
    Since you need help with business product, @Andrei_S Enterprise (who provides support for business products) could take a look here and help you with the issue.
    Also, you can always contact the Bitdefender business support:
    https://www.bitdefender.com/business/support/en/71263-85158-contact.html
    Regards.

  • Hello @carlosalb226 ,

    Our Firewall documentation on how to define custom rules can be found here: https://www.bitdefender.com/business/support/en/77209-342962-rules.html#idp257449

    Now regarding the custom rule that you have define, can you try to increase the priority of that rule by making it the first in the list? Currently I see that it's has priority 14.

    Furthermore, I was able to identify you case in our system and I will reach out to the Enterprise Support team to ensure this case gets the proper attention.

    Kind Regards,

    Andrei

  • Hello Andrei, thanks for taking the time and answering. We already received an email from corporate support, however I have a question. Bitdefender Gravityzone Enterprise is being reactive to the malicious actions of the process, that is, from the first moment it has responded but has not been able to eradicate the malicious action and it continues to be replicated by other teams in the organization. I have tried to validate which is the process that generates the consults the malicious website, however it does not show it in the logs, and from what evidence it is tied to a legitimate process svchost.exe, the process tries to make a connection to the following urls hdr-nlb8-39c51fa8696874ee.elb.us -east-1.amazonaws.com

  • Hello @carlosalb226 ,

    We need our labs team to evaluate the bdsyslog provided in order to determine which is the malicious process (if there is one), all the information was shared with them and I have asked to increase look over it with priority. As soon as they finish their analysis you will be notified by our support team.

    Kind Regards,

    Andrei