Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Fortianalyzer shows DC as compromised host


I have internal domain dns server on domain controller, Fortianalyzer shows this host as compromised with multiple attempts to websites like: Malware CnC Spyware and Malware infected-domain Malware CnC Not Rated infected-domain Malware CnC Spyware and Malware infected-domain
and others.
First of all, my all servers have blocked internet access, and the second when I check Cached Lookups on my domain controller dns I can't find neither of these domains from Fortianalyzer logs.
Could anyone could me explain how could I troubleshoot these attempts and source of them?
Not applicable

Hello Tutek,


Do you also log on Syslog server? Hope you will find some information in there.


Also, can you check if all the logs are been forwarded from the firewall to the Fortianalyzer, can you check on the firewall if you can find anything from the logs in the firewall.

Let us know if that helps.


Hey Tutek,


if you check the compromised host details on FortiAnalyzer, by right-clicking you should be able to get to the underlying logs FortiAnalyzer received, which made it reach the compromised verdict.

I would suggest checking traffic and/or security logs with source IP of your domain controller to figure out if there is in fact any traffic going to the internet from your DCs. If there is such traffic, the logs should tell you what policy allows that traffic, you can lock down the access, and then figure out if your domain controllers are actually compromised or not.

Hope this helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors