Disappointing coverage of OSX Flashback

billp · ‎04-13-2012

Unless I am missing something, Fortinet' s handling of the recent big OSX Flashback Java vulnerability has been very disappointing. I had a user contract the virus through the most recent Fortiguard IPS and AV scanning. As far as I can tell, there is no IPS signature to block Flashback traffic -- it is blocked by AV only. Additionally, the AV signature apparently is only in the Extended database for the Fortigate. Per Fortinet, the extended database is chiefly for " zoo" viruses that aren' t seen often. (I don' t use the extended database on my firewall.) OK -- just griping, but was wondering if anybody else was frustrated by this. Thanks.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Victor · ‎04-27-2012

Yes, I am looking to block this as well. Have you tried opening a case with support asking for a signature?

billp · ‎04-27-2012

Yes. I actually spoke to support about this. They do not consider Flashback to be a major infection worthy of the Active Database in the Fortigate. It is only available in the extended db. I guess the companies that use Fortinet don' t have a lot of Macs. Go figure. Additionally, once the trojan lands on your system, the command centers are not blocked. I created a list of known Flashback servers and blocked them at the top of my firewall. Fortinet could easily block this by blacklisting the server sites. Yes, I am underwhelmed by Fortinet' s response to the biggest Mac security issue in recent history. I only had one infection and it was easy to spot in my logs. Still -- I had really expected better coverage. Sorry for the rant.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

ede_pfau · ‎04-29-2012

Bill, would you do us a favor and post the list of FB servers you' ve put on the blacklist? How would I find out these addresses?

Ede

"Kernel panic: Aiee, killing interrupt handler!"