Compromised Hosts

infosec1023 · ‎03-22-2019

Hi all, I found that some hosts are found under Compromised Hosts.

1. Does it mean it is infected by malware? I scanned with AV and got nothing

2. One record show nylon.com is SpywareCnC but I checked it is a fashion website. Is it false alarm?

[link]http://nylon.com[/link]

Thank you!!

ede_pfau · ‎03-22-2019

You check suspicious websites not on a FGT alone - use the 'net to get a picture what others say about it. If you really know that the rating is wrong you can challenge Fortinet to adjust their rating. Usually it only takes a short time until they respond.

A host may be compromised because of an AV event, but also IPS, Webfilter, SPAM, AppControl...this should be noted in the UTM logs.

Ede Kernel panic: Aiee, killing interrupt handler!

brazz_FTNT · ‎03-22-2019

Hello,

One questions, do you have a valid IOC license ? Or are you using the demo license?

Cheers

mamuning2017 · ‎03-23-2019

Hi brazz_FTNT ,

In relation to this topic, our FortiAnalyzer uses the Demo one.

And we also have some compromised hosts displayed. But show as blocked.

I see that there is Ack. Im not sure if we need to Acknowledge these.

Thanks for the advise.

Cheers :D

infosec1023 · ‎03-25-2019

I using demo license only. thanks!

Maverick4u · ‎11-30-2024

When it comes to "Compromised Hosts," it doesn't necessarily mean the site is infected with malware, but it could indicate potential vulnerabilities. It's good that you've scanned with AV software, but it's always worth checking other security tools to be sure. Sometimes, websites can be flagged incorrectly, especially if there’s any suspicious activity associated with them, like unusual traffic patterns or links. As for the nylon.com case, it’s possible it’s a false alarm, but I’d still recommend using additional layers of protection, like a firewall, or monitoring the site for any unusual behavior.

Staying proactive with security measures and regularly updating your software can help prevent potential risks in the future. For a deeper understanding of security practices, check out some trusted resources on enhancing website protection.

sjoshi · ‎11-30-2024

1. The term "compromised hosts" typically indicates that the hosts have exhibited suspicious or malicious behavior, which could suggest a security breach or compromise. Running an antivirus scan that comes back clean does not guarantee that the host is free from all types of malware. It's recommended to conduct a thorough security assessment beyond just antivirus scans to ensure the host's integrity.

2. If a legitimate website like nylon.com is flagged as "spywarecnc" in your security assessment, it could be a false positive. Sometimes security tools may incorrectly flag benign websites due to various reasons like outdated threat intelligence or misinterpretation of website behavior. You can further investigate by checking multiple reputable sources or contacting the website owner to confirm if it's a false alarm

Let us know if this helps.
Salon Raj Joshi

callmeahero · ‎11-30-2024

Compromised hosts doesn’t always mean a host is infected with malware, but it does suggest that the device might be behaving suspiciously.

It could be due to unusual traffic, failed login attempts, or other indicators that it could be compromised.

AV scans alone might not catch everything, so you may need to look for other signs, like unusual network activity.

Nylon.com being flagged as "SpywareCnC" could be a false positive, especially if it’s a legitimate website like you mentioned.

Sometimes, security systems flag websites incorrectly.

It’s a good idea to double-check using other tools (like a URL scanner or threat intelligence site) to confirm if it’s safe.

Compromised Hosts

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website