The botnet report enables you to use heuristic and behavior-based mechanisms
to identify potential malware- or botnet-infected hosts in your
network. To evaluate botnet activity and infected hosts, the firewall
correlates user and network activity data in Threat, URL, and Data
Filtering logs with the list of malware URLs in PAN-DB, known dynamic
DNS domain providers, and domains registered within the last 30
days. You can configure the report to identify hosts that visited those
sites, as well as hosts that communicated with Internet Relay Chat
(IRC) servers or that used unknown applications. Malware often use
dynamic DNS to avoid IP blocking, while IRC servers often use bots
for automated functions.
The firewall requires Threat Prevention and URL Filtering
licenses to use the botnet report. You can Use the Automated Correlation Engine to
monitor suspicious activities based on additional indicators besides those
that the botnet report uses. However, the botnet report is the only
tool that uses newly registered domains as an indicator.