You wish to know how botnet activity is treated and handled by the Symantec Web Gateway (SWG)

Certain activity, such as connections initiated by clients on the protected network to Botnet Command&Control (C&C) servers are not always blocked, even when Botnet C&C is added to a policy and set to block.

The SWG has three distinct statuses for bot host detection:

• Suspected Bot
• Active Bot
• Inactive Bot

Suspected Bot

The SWG has determined that there are reasons to be suspicious of the traffic in question, but there has been no actual malicious activity detected in that traffic so far. In this case the SWG will continue to monitor the client, but will not take any action. For example, a simple ping to a known or potential Botnet C&C server from a client machine within the protected network will cause that machines activities to be monitored and it will display with status "Suspect" in the Botnet report. By clicking on the affected host on the Botnet report, details will show the Botnet Control (C&C) activity and the C&C hosts contacted by the client.

Botnet detection on the SWG is behavioural, and works is that an initial “Suspect Bot” determination is made based on one of the following criteria:

1. The client is determined to have connected to a known C&C server.
2. The client sends an unusually high amount of SMTP traffic (and is not a known email server).
3. The client is detected to have run a port scan of other machines in the network.
4. The client is detected to have generated significant Spyware-related activity.  

Active Bot

The SWG has positively identified traffic coming from within the protected network as botnet traffic. The appliance will apply any relevant policy and the Botnet category will be blocked if that is the setting applied in the matching policy (or if the SWG is in blocking mode). In the above example, the SWG will block all traffic to the Botnet C&C. The client will appear as "Active" in the Botnet report status.

Activities that will trigger the active botnet status include spam and port scanning.

Inactive Bot

The computer showed evidence of botnet activity in the past, but there has been no activity in the last 7 days.

You may wish to block suspicious traffic even if it is still only regarded as Suspect by the SWG and does not meet the blocking criteria.

It is not possible to block such traffic by policy until it becomes Active. This is working as designed.

Blacklisting the destination IP address or hostname to block events that correspond to the Suspect phase does not have any effect. Botnet phase 1 events take precedence over blacklist entries.