WatchGuard Cloud Cyclops Blink Detector

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud., Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

You can use the WatchGuard Cloud Cyclops Blink Detector to determine if your Fireboxes are affected by Cyclops Blink. This tool can scan multiple Fireboxes in your account and the accounts you manage. To scan a Firebox, the device must be connected to WatchGuard Cloud.

Other detection tools are available online and from WSM. For more information, see the Diagnose section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan.

To scan devices in a FireCluster, we recommend that you upload diagnostic log files (support.tgz) to the Cyclops Blink Web Detector at detection.watchguard.com. The WatchGuard Cloud Cyclops Blink Detector does not scan passive cluster members in active/passive FireClusters,

To run the Cyclops Blink Detector, from WatchGuard Cloud:

1. Go to cloud.watchguard.com and log in.
2. Select Dashboard.
   Or, select Monitor > Devices.
   
3. In the Cyclops Blink Detector widget:
   • If this is the first time you have scanned Fireboxes, click Scan Fireboxes in your account.

     

   • If you have already scanned Fireboxes and want to scan again, click the Cyclops Blink Detector widget header or click View Results, then click Scan Fireboxes for Indicators of Cyclops Blink.

     

   The Cyclops Blink Detection Tool page opens.

   

4. Select the check boxes next to the Fireboxes you want to scan. Fireboxes that are offline are not available for selection. To select all Fireboxes in an account, select the check box next to the account name.
5. Click Scan.

See Scan Results

The Cyclops Blink Scan Overview page opens immediately after you scan. The widgets at the top of the page provide details of the results.

To open the Cyclops Blink Scan Overview page at any time, select Configure > Devices > Cyclops Blink Detector.

To see the result for a specific Firebox, review the Last Scan Results column in the list of results.

The action you must take for a Firebox depends on the scan result:

• Cyclops Blink Indicators Detected — The Firebox is infected with the Cyclops Blink botnet. You must immediately follow the steps in the Remediate section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan. If you cannot remediate immediately, we recommend you take the Firebox offline.
• No Cyclops Blink Indicators Detected — No indicators of the Cyclops Blink botnet are detected. You must immediately follow the steps in the Prevent section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan to protect your Firebox.
• In Progress — The Cyclops Blink Detector is scanning the Firebox. Results appear in the list when ready. If you scanned a large number of Fireboxes, it might take some time for all results to appear.
• Failed to Scan — The tool could not scan the Firebox. This might be because of an error, or because the Cyclops Blink Detector could not connect to the Firebox. For help with connection issues, see Troubleshoot Firebox Connections to WatchGuard Cloud.
• Failed to Scan — Incomplete Results — The tool was unable to complete the scan for all known indicators. Some scans did complete successfully and nothing was detected. For help with connection issues, see Troubleshoot Firebox Connections to WatchGuard Cloud.
• Not Scanned — You did not scan the Firebox.

To download the results, click Download results to CSV file.

Related Topics

WSM Cyclops Blink Detector