The botnet report enables you to use heuristic and behavior-based
mechanisms to identify potential malware- or botnet-infected hosts
in your network. To evaluate botnet activity and infected hosts,
the firewall correlates user and network activity data in Threat,
URL, and Data Filtering logs with the list of malware URLs in PAN-DB,
known dynamic DNS domain providers, and domains registered within the
last 30 days. You can configure the report to identify hosts that
visited those sites, as well as hosts that communicated with Internet
Relay Chat (IRC) servers or that used unknown applications. Malware
often use dynamic DNS to avoid IP blacklisting, while IRC servers
often use bots for automated functions.
The firewall requires Threat Prevention and URL Filtering
licenses to use the botnet report. You can Use the Automated Correlation Engine to monitor suspicious activities based on additional indicators
besides those that the botnet report uses. However, the botnet report
is the only tool that uses newly registered domains as an indicator.