Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vvserpent
New Contributor II

Application-Control VS AntiVirus

Hi,

 

I trying to setup a ACL to prevent the connection to the Botnet Servers. I found there is a option "block connections to Botnet Servers" in the AntiVirus Profile.

 

As both Antivirus and Application control can block connection to the Botnet server ,  could you tell me what is the difference between Antivirus and Application Control ? Which one is better ?

 

Regards,

Jacky

 

 

 

7 REPLIES 7
AndreaSoliva
Contributor III

Hi

 

sorry but Application Control and Antivirus are two completly different features:

 

- Antivirus is testing files like zip, gzip, word documents based on antivirus signature to find out virus's etc.

- Application control is looking to the application header within flow and blocks, monitores etc. stuff based on this application header. Behind application control there is also something like a signature database but only to identify certain application or functions etc. This database is also used/coming by/from IPS or visaverse.

 

From this point of view each antivirus has nothing to do with application control and visaverse. The block botnet function looks if a certain request is going out from internal to known botnet servers and if yes and so configured it will be blocked. This does not solve the internal problem that the client is infected to malicious whatever but it blocks comunication to botnet servers. To confiure botnet server block etc. within a certina antivirus profile you have to configure following:

 

            # config antivirus profile             # edit [Name of the profile]             # set block-botnet-connections [enable | disable]                         For FortiOS 5.2 this command does not exist anymore "block-botnet-connections" and was replaced with:                         # set scan-botnet-connections [monitor | block | disable]

 

This list used you can see at following link:

 

https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

If you activate the function and you would like to test you have to request from internal a IP listed in the above link. If all is correct configured the request will be blockt on the FGT and you will see it in the logs.

hope this helps

 

have fun

 

Andrea

FortiAdam
Contributor II

AndreaSoliva wrote:

This list used you can see at following link:   https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

Are you saying that list is the ONLY list the FortiGate uses to block botnet connections or is that just an example of some IPs that might get blocked?  I'm referring to the "block-botnet-connections" feature of the AntiVirus UTM profile.

 

Has anyone ever seen an AV log showing where a botnet connection was blocked due to this feature?  I haven't but I look forward to testing it.

 

 

PaulM1114
New Contributor III

On Monday I did a lot of testing of the block-botnet connections AV option using that same Zeus tracker IP list.

My goals were to, 1. confirm it works and 2. confirm it logs an event stating the connection was blocked.

 

Unfortunately I was able to connect to every IP when using a policy with the AV profile applied with Block Botnet Connections enabled.I have a ticket opened currently and waiting for the engineer to call me back.

 

Paul

 

PaulM1114
New Contributor III

Here is an IP Reputation log message from 5.2.

 

date=2015-03-20 time=10:04:38 logid=0202009248 type=utm subtype=virus eventtype=botnet level=warning vd="root" msg="Botnet C&C Communication." action=blocked sessionid=35841 srcip=10.10.220.6 dstip=103.230.84.239 srcport=28765 dstport=80 srcintf="internal" dstintf="wan1" proto=6 direction=outgoing quarskip=No-skip virus="Zeus" dtype="ip-reputation" ref="http://www.fortinet.com/be?bid=64" virusid=64 profile="block-botnet" user="PAUL" analyticssubmit=false crscore=50 crlevel=critical

FortiAdam
Contributor II

Can you explain how you were able to produce that log entry?

PaulM1114
New Contributor III

My testing methodology: FortiGate: One policy that includes AV profile with "block botnet connections" enabled Windows: Open Firefox and attempted to access an IP in the browser from the Zeus Tracker bad IP list (e.g. 103.230.84.239.)

 

FortiAdam
Contributor II

Thanks Paul I was able to reproduce the same results in 5.0.9.  Below is how my log looked:

date=2015-03-23 time=15:50:32 logid=0211008192 type=utm subtype=virus eventtype=infected level=warning vd="root" msg="File is infected." status="blocked" service=UNKNOWN(255) srcip=10.250.31.44 dstip=103.230.84.239 srcport=65036 dstport=80 srcintf="vlan 31" dstintf="VLAN 695" policyid=14 identidx=0 sessionid=6810689 direction=N/A quarskip="No skip" virus="Zeus" ref="http://www.fortinet.com/ve?vid=0" profile="default" analyticssubmit="false"

Labels
Top Kudoed Authors