Host infected with botnet

Forum|Forum|7 years ago
October 16, 2018
2 replies
3916 views

Hi, we have a network with the 1500D fortigate on the edge. Inside we have several subnets. Behind one of the networks, we have a source botnet of ip x.x.x.x destined for an external network y.y.y.y How can I block conficker actions on the network?

Thank You.

emnoc

New Member

You should have a endpoint agent on the host imho. But if you wanted to block the hosts set a rule for the src and dst & with a deny action.

Alternative you could look a IPS signature and deploy that to catch others. Serious if your having infected host with conficker than you have out of date hosts and no or poorly maintained local AV/Malware end-points.

kphed

New Member

Configure an app sensor with the "Botnet" category set to block and either deploy it on an interface-policy for the local interface (to ensure all traffic sourcing from LAN is scanned) or deploy the app. sensor on which ever firewall policy allows the host outbound to the iNet.

emnoc

New Member

I would be careful with that. bot app controls blocks known C&C and listed or Identified botnets. YMMV in detection and prevention.

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded