This document is a basic example of how to setup and use FortiOS Application control and Antivirus sensor to deny (Block) CryptoLocker ransomware.
Solution
FortiOS Application Control and Antivirus Profile sensors can be used to analyze network traffic to detect "Cryptolocker.Botnet" and "CryptoWall.Botnet."
Antivirus scanning examines files for "Cryptolocker.Botnet" and "CryptoWall.Botnet" variants and families of viruses, worms, trojans, and malware. The antivirus scan engine has a database of virus signatures it uses to identify infected files. If the scanner finds a signature in a file, it determines that the file is infected and takes the appropriate action.
If you discover these unwanted applications in your network and wish to block, follow the following steps below:
1.Verify that the Application Control and Antivirus feature(s) are enabled:
a. In the FortiOS Dashboard, Go to System | Config
b. Application Control should be ON, if not enable
c. Antivirus should be ON, if not enable
d. Select Show More and enable Multiple Security Profiles
e. Apply the changes.
2. Verify that your FortiGuard Subscription Services is running the latest IPS and Antivirus definitions:
For the latest Antivirus DB: http://www.fortiguard.com/updates/antivirus.html
For the latest Intrusion Prevention and Application DB: http://www.fortiguard.com/updates/applications.html
a. In the FortiOS Dashboard, Go to System | Config | FortiGuard
The current AV detections for CryptoLocker as
W32/Blocker.CJEA!tr, W32/Filecoder.BQ, and W32/Zbot.AAU!tr. Other
known aliases:
Trojan-Ransom.Win32.Blocker.cjea
TROJ_CRILOCK.AB
Win32/Filecoder.BQ
Trojan:Win32/Crilock.A
CryptoLocker
KryptoLocker
W32/Agent.ABI!tr
W32/Bublik.AEBW!tr
W32/Kryptik.FA!tr
W32/KRYPTIK.PDA!tr
W32/Mdrop.AAB!tr
See: http://www.fortiguard.com/encyclopedia/virus/#id=5584765
CryptoWall 1.0 available with our W32/Foreign.KVIE!tr
signature.
CrytoWall 2.0 available as W32/CRYPDEF.POP!tr.
We also have an article written that explains
CryptoWall (1.0) located here:
http://blog.fortinet.com/post/cryptowall-another-ransomware-menace
3. Steps to enable Antivirus Profile:
a. In the FortiOS graphical user interface (GUI) go to
> Security Profiles > AntiVirus > Profiles
b. you can select default or create a new AntiVirus
Profile, in this case we will use the "default" profile
c. Set Inspection Mode > Proxy
d. Enable "Block Connections to Botnet Server"
e. Select the Protocols to be inspected
f. Select Apply
4. Verify the Antivirus Profile configuration has the
correct option(s) enabled from the FortiOS CLI:
config antivirus profile
edit "default"
set comment " "
set replacemsg-group
''
set inspection-mode
proxy
set
block-botnet-connections enable
set extended-utm-log
enable
config http
set options scan (Scan will scan files and block infected based on
the current AVDB signatures)
end
config ftp
set options scan
end
config
imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
config nntp
set options scan
end
config im
set options scan
end
config smb
set options scan
end
av-virus-log :
enable
av-block-log : enable
5. Steps to enable blocking with the Application Control
Sensor:
a. In the FortiOS graphical user interface (GUI) go to
> Security Profiles > Application Sensors
b. select the default or create a new Application
Sensor name, in this case we will use the "default" profile
c. Select Create New > under Category > Select
Botnet as the only Category to filter
d. For the Columns : Popularity | Technology | Risk,
make sure all options are selected
e. For Action: select "Block"
f. Select OK
6. Verify the Application Control Profile configuration has the
correct option(s) enabled from the FortiOS CLI:
conf application list
(list) # edit default
(default) # sho full
config application list
edit "default"
set comment "monitor all
applications"
set replacemsg-group
''
set
other-application-action pass
set extended-utm-log
enable
set
other-application-log enable
set log enable
set
unknown-application-action pass
set
unknown-application-log enable
unset
p2p-black-list
set options allow-dns
allow-icmp allow-http allow-ssl
config entries
edit 2
set action block
set behavior all
set category 19
set log enable
set log-packet enable
set popularity 1 2 3 4 5
set protocols all
set session-ttl 0
set technology all
set vendor all
next
edit 1
set action pass
set behavior all
set log enable
set log-packet disable
set per-ip-shaper ''
set popularity 1 2 3 4 5
set protocols all
set session-ttl 0
set shaper ''
set shaper-reverse ''
set technology all
set vendor all
next
end
next
end
7. Add the appropriate blocking profile to the firewall policy as needed: