FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
keithli_FTNT
Staff
Staff
Article Id 192030
Description
DearCry is a new ransomware variant that has been reported to exploit Microsoft Exchange server’s vulnerabilities. It uses AES-256 and RSA-2048 to encrypt the files on your machine without having to contact command-and-control server. DearCry also drops a ransom note on the desktop asking the victim to contact them via email.

FortiClient-DearCry1.png

Additional information about the virus can be found here:


Solution
FortiClient detects and blocks DearCry with both pre-execution signature-based detection and post-execution behaviour based detection. Anti-Malware feature detects and block malware file pre-execution and FortiClient Anti-Ransomware feature detects malicious behaviour and kills ransomware process post-execution.

FortiClient Anti-Malware Protection:

1. Enable FortiClient AV Real-Time Protection on EMS
FortiClient-DearCry2.png

2. Verify your AV signature is up-to-date
FortiClient-DearCry3.png

3. FortiClient AV blocks DearCry malware file before it can execute
FortiClient-DearCry4.png

Detection event on EMS:
FortiClient-DearCry5.png

FortiClient Detection Log:
FortiClient-DearCry5.2.png


FortiClient Anti-Ransomware Protection:

1. Enable Anti-Ransomware Protection
FortiClient-DearCry6.png

2. FortiClient detects and blocks malicious process behaviour


Detection Event on EMS:
FortiClient-DearCry7.png

Detection on FortiClient:
FortiClient-DearCry8.png


Contributors