This is showing up as AV blocked, and also IP blocked at several locations.
From what we see, it looks like a false positive, unless Bing is suddenly infected. Anyone else seeing this?
Message meets Alert condition File Block Detected: Protocol: Source IP: [LAN IP] Destination IP: 204.79.197.200 Email Address From: Email Address To: date=2016-10-21 time=09:25:15 devname=[Firewall] devid=FGT92D[SERIAL] logid=xxxx type=utm subtype=virus eventtype=botnet level=warning vd="root" msg="Botnet C&C Communication." action=blocked sessionid=9398169 srcip=[SRC IP} dstip=204.79.197.200 srcport=55706 dstport=80 srcintf="LAN" dstintf="wan1" policyid=1 proto=6 direction=outgoing quarskip=No-skip virus="HW20161020" dtype="ip-reputation" ref="http://www.fortinet.com/be?bid=7630162" virusid=7630162 profile="[profile]" user="" analyticssubmit=false crscore=50 crlevel=critical
Also shows up as:
dstip=204.79.197.200 srcport=49608 dstport=80 proto=6 direction=outgoing virus="DYRE" dtype="ip-reputation"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Bing is still listed as a trusted host in our 'reputation' list. I can't get to Bing though, due to the DDOS attack on DNS this morning. Maybe what you're seeing is related to that.
Yes - a request sent to Fortiguard support related to these alerts has received the following response:
Dear Customer,
This is a false positive. We have disabled the botnet detection on the IP "204.79.197.200" and the update to remove it from your FortiGate will occur at 10AM PST.
We're sorry for any inconveniences this may have caused and we appreciate your patience.
If you have any further concerns please do send us a mail and we will immediately assist you.
Regards,
AV Lab - Mlau
Had the same thing this morning, it was showing as all sorts of different viruses. I spot checked the machines it was saying were infected and they were all clean. It's seems to be all cleaned up now, I am guessing you are correct with the DDOS attack causing the issues.
@kelleycomputing - thanks for the info from Fortiguard. That explains it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.