Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Marcde_J
New Contributor II

Created on ‎06-17-2018 09:05 PM

Virus policy false positive

Hi all. For two weeks have been picking up false positives on windows updates, Cant whitelist certain IPs with the virus feature on the firewall policy, any ideas on how to mitigate?

 

Message meets Alert condition
Virus/Worm detected: Protocol: "HTTP" Source IP: 192.168.xxx.xxx
Destination IP: 8.247.248.249 Email Address From: Email Address
To: VIRUS REFERENCE URL:
date=2018-06-18 time=08:59:22 devname=xxxxxx devid=FG100E4Q17006469 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1529305162 msg="File is infected." action="blocked" service="HTTP" sessionid=72527335 srcip=192.168.xxx.xxx dstip=8.247.248.249 srcport=54879 dstport=80 srcintf="port1" srcintfrole="lan" dstintf="WAN LINK OUT" dstintfrole="wan" policyid=29 proto=6 direction="incoming" filename="26773177_129255bcafdf28ba563f60069f60029783bd29f9.cab" quarskip="File-was-not-quarantined." url="http://download.windowsupdate.com/d/msdownload/update/others/2018/06/26773177_129255bcafdf28ba563f60..." profile="default" agent="Windows-Update-Agent/10.0.10011.16384" analyticscksum="b335f5cacec2a70f99aff42470beeb60ee60bad85686640ed04529a60244b0ef" analyticssubmit="true" crscore=50 crlevel="critical"

Labels:
378
0 Kudos
2 REPLIES 2
DeepKuma2
Contributor

Created on ‎06-17-2018 11:07 PM

Hi,

You can configure a firewall policy to allow access to windows update servers and move the policy to the top of the policy list.

You need to create FQDN address object for the following FQDN's.

download.microsoft.com
windowsupdate.com
windowsupdate.microsoft.com
download.windowsupdate.com
update.microsoft.com

Configure firewall policy without authentication

From interface Internal to destination Interface External but limit the destination address to a group containing Microsoft update FQDN's

And move the policy to top of the policy table.


Regards,

Deepak Kumar

NSE4

Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai
372
0 Kudos
Marcde_J
New Contributor II
In response to DeepKuma2

Created on ‎06-17-2018 11:19 PM

Incredible thanks very much…


Kind regards

Marc de Jager
M : +27 72 318 4607
O : +27 11 474 2245
From: Deepak Kumar, Network Admin via Firewall:
Sent: Monday, 18 June 2018 11:07
To: firewall@lists.fusecommunity.fortinet.com
Subject: [Firewall:] - RE: Virus policy false positive


Hi,

You can configure a firewall policy to allow access to windows update servers and move the policy to the top of the policy list.

You need to create FQDN address object for the following FQDN's.

download.microsoft.com http://download.microsoft.com
windowsupdate.com http://windowsupdate.com
windowsupdate.microsoft.com http://windowsupdate.microsoft.com
download.windowsupdate.com http://download.windowsupdate.com
update.microsoft.com http://update.microsoft.com

Configure firewall policy without authentication

From interface Internal to destination Interface External but limit the destination address to a group containing Microsoft update FQDN's

And move the policy to top of the policy table.



Regards,

Deepak Kumar

NSE4

-----End Original Message-----
The information contained in this communication from the sender is confidential.
It is intended solely for use by the recipient and others authorized to receive it.
If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

Head Office: Studio 88, Aeroton Business Park, 30 O'Connor Place, Aeorton, Johannesburg, 2013.
The studio88 Group of Companies supports the Teddy Bear Clinic
Please consider the environment before printing this document

This email has been scanned for viruses and malware, and automatically archived by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for business.
372
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.