I just got this log entry under Log & Report -> Security Log -> AntiVirus:
Date/Time 14:45:17 (1387464317)
Details host: 22.214.171.124 Direction N/A
Dst Interface ISP-Colt
Dst Port 80
Identity Index 0
Log ID 8192
Message File is infected.
Policy ID 30
Profile Name default
Quarantine Skip No skip
Sequence Number 118125701
Src Interface internal2
Src Port 54949
Status Sub Type infected
Submitted to FortiGuard Sandbox false
Timestamp 12/19/2013 2:45:17 PM
Virtual Domain root
How do I figure out what were the circumstances around this potential exposure?
There' s no URL here, no information about the file (name, extension, size), so the information appears to be not actionable (which makes it not useful).
I have URL logging disabled, both for personal privacy purposes (to respect the employees) and to reduce log storage.
Is it impossible to get more than blind limited protective value out of the FortiGate gateway based antivirus filtering if I don' t enable URL logging?
I' m not familiar with the Zeus Virus, but from the log entry it looks like the computer at 192.168.32.20 made a connection to 126.96.36.199 on port 80 (HTTP), at 2:47 PM today (Dec 19). I would try checking the browser history on that computer for that time period and also perform some sort of (offline) virus scan on it.
Someone correct me here, but it seems the terms " Message File" and status " Sub Type infected" would indicated some sort of meta-data (parts of a web page or code) rather than an actual file.
I think it should read ' Message: " File is infected" ' , as per LMR. Fortiguard online rating for this ip provides some more history details and with a checksum of 0, unknown service, potentially a kind of ' detected' botnet connection?
@Dave Thanks. I agree with the analysis, and of course I could manually track it down at the possible source/exposure point.
What I' m hoping for is that the data gathered by the FortiGate itself would be more complete and actionable.
" This IP might have touched something icky" isn' t very helpful, and as we all know security is icky enough and difficult enough to act upon without vague alerts :-(
Is there something else which I have to enable on my FortiGate in order for it to capture enough information for the alerts to be more informative and useful?
Or is this all FortiNet gives us (which would be very disappointing)?
@netmin Thanks also. Zeus is a botnet infector. One of the things which I don' t clearly understand from this alert is:
Is my FortiGate telling me that it thinks *I' m* (that is, my internal IP 192.168.32.20 is) infected with Zeus, or that it thinks this internal IP has made a connection on which it detected something trying to push down a copy of Zeus to my internal IP?
Unfortunately there' s too little information and maybe checking the browser history tells you already more.
Best case: a false positive (Flow based inspection?) or initial download attempt. Worst case is an infected system but you would potentially see more log entries too.
Here is some more information available: http://www.fortiguard.com/legacy/analysis/zeusanalysis.html
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.