Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jay_Libove
Contributor

File is Infected, but, what file? Accessed how?

I just got this log entry under Log & Report -> Security Log -> AntiVirus:
Checksum 0 Date/Time 14:45:17 (1387464317) Details host: 66.96.160.153 Direction N/A Dst 66.96.160.153 Dst Interface ISP-Colt Dst Port 80 Identity Index 0 Level warning Log ID 8192 Message File is infected. Policy ID 30 Profile Name default Quarantine Skip No skip Reference http://www.fortinet.com/ve?vid=0 Sequence Number 118125701 Service UNKNOWN(255) Src 192.168.32.20 Src Interface internal2 Src Port 54949 Status Sub Type infected Submitted to FortiGuard Sandbox false Timestamp 12/19/2013 2:45:17 PM Virtual Domain root Virus Zeus
How do I figure out what were the circumstances around this potential exposure? There' s no URL here, no information about the file (name, extension, size), so the information appears to be not actionable (which makes it not useful). I have URL logging disabled, both for personal privacy purposes (to respect the employees) and to reduce log storage. Is it impossible to get more than blind limited protective value out of the FortiGate gateway based antivirus filtering if I don' t enable URL logging? thanks,
4 REPLIES 4
Dave_Hall
Honored Contributor

I' m not familiar with the Zeus Virus, but from the log entry it looks like the computer at 192.168.32.20 made a connection to 66.96.160.153 on port 80 (HTTP), at 2:47 PM today (Dec 19). I would try checking the browser history on that computer for that time period and also perform some sort of (offline) virus scan on it. Someone correct me here, but it seems the terms " Message File" and status " Sub Type infected" would indicated some sort of meta-data (parts of a web page or code) rather than an actual file.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
netmin
Contributor II

I think it should read ' Message: " File is infected" ' , as per LMR. Fortiguard online rating for this ip provides some more history details and with a checksum of 0, unknown service, potentially a kind of ' detected' botnet connection?
Jay_Libove
Contributor

@Dave Thanks. I agree with the analysis, and of course I could manually track it down at the possible source/exposure point. What I' m hoping for is that the data gathered by the FortiGate itself would be more complete and actionable. " This IP might have touched something icky" isn' t very helpful, and as we all know security is icky enough and difficult enough to act upon without vague alerts :-( Is there something else which I have to enable on my FortiGate in order for it to capture enough information for the alerts to be more informative and useful? Or is this all FortiNet gives us (which would be very disappointing)? @netmin Thanks also. Zeus is a botnet infector. One of the things which I don' t clearly understand from this alert is: Is my FortiGate telling me that it thinks *I' m* (that is, my internal IP 192.168.32.20 is) infected with Zeus, or that it thinks this internal IP has made a connection on which it detected something trying to push down a copy of Zeus to my internal IP? thanks all, -Jay
netmin
Contributor II

Unfortunately there' s too little information and maybe checking the browser history tells you already more. Best case: a false positive (Flow based inspection?) or initial download attempt. Worst case is an infected system but you would potentially see more log entries too. Here is some more information available: http://www.fortiguard.com/legacy/analysis/zeusanalysis.html
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors