- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Virus policy false positive
Hi all. For two weeks have been picking up false positives on windows updates, Cant whitelist certain IPs with the virus feature on the firewall policy, any ideas on how to mitigate?
Message meets Alert condition
Virus/Worm detected: Protocol: "HTTP" Source IP: 192.168.xxx.xxx
Destination IP: 8.247.248.249 Email Address From: Email Address
To: VIRUS REFERENCE URL:
date=2018-06-18 time=08:59:22 devname=xxxxxx devid=FG100E4Q17006469 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1529305162 msg="File is infected." action="blocked" service="HTTP" sessionid=72527335 srcip=192.168.xxx.xxx dstip=8.247.248.249 srcport=54879 dstport=80 srcintf="port1" srcintfrole="lan" dstintf="WAN LINK OUT" dstintfrole="wan" policyid=29 proto=6 direction="incoming" filename="26773177_129255bcafdf28ba563f60069f60029783bd29f9.cab" quarskip="File-was-not-quarantined." url="http://download.windowsupdate.com/d/msdownload/update/others/2018/06/26773177_129255bcafdf28ba563f60..." profile="default" agent="Windows-Update-Agent/10.0.10011.16384" analyticscksum="b335f5cacec2a70f99aff42470beeb60ee60bad85686640ed04529a60244b0ef" analyticssubmit="true" crscore=50 crlevel="critical"
- Labels:
-
Next Generation Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can configure a firewall policy to allow access to windows update servers and move the policy to the top of the policy list.
You need to create FQDN address object for the following FQDN's.
download.microsoft.com
windowsupdate.com
windowsupdate.microsoft.com
download.windowsupdate.com
update.microsoft.com
Configure firewall policy without authentication
From interface Internal to destination Interface External but limit the destination address to a group containing Microsoft update FQDN's
And move the policy to top of the policy table.
Regards,
Deepak Kumar
NSE4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kind regards
Marc de Jager
M : +27 72 318 4607
O : +27 11 474 2245
From: Deepak Kumar, Network Admin via Firewall:
Sent: Monday, 18 June 2018 11:07
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Virus policy false positive
Hi,
You can configure a firewall policy to allow access to windows update servers and move the policy to the top of the policy list.
You need to create FQDN address object for the following FQDN's.
download.microsoft.com http://download.microsoft.com
windowsupdate.com http://windowsupdate.com
windowsupdate.microsoft.com http://windowsupdate.microsoft.com
download.windowsupdate.com http://download.windowsupdate.com
update.microsoft.com http://update.microsoft.com
Configure firewall policy without authentication
From interface Internal to destination Interface External but limit the destination address to a group containing Microsoft update FQDN's
And move the policy to top of the policy table.
Regards,
Deepak Kumar
NSE4
-----End Original Message-----
The information contained in this communication from the sender is confidential.
It is intended solely for use by the recipient and others authorized to receive it.
If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Head Office: Studio 88, Aeroton Business Park, 30 O'Connor Place, Aeorton, Johannesburg, 2013.
The studio88 Group of Companies supports the Teddy Bear Clinic
Please consider the environment before printing this document
This email has been scanned for viruses and malware, and automatically archived by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for business.
