Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhe
Contributor II

Grayware

Hi! Does anyone know how the grayware protection in 2.8 works? I tried to download a BHO to a VirtualPC and nothing was blocked/logged. I never saw something like " grayware" in the logs... Regards from switzerland, martin
11 REPLIES 11
UkWizard
New Contributor

What do you mean, by a ' virtualpc' . The unit checks smtp,ftp and http traffic for files that have signatures matching known grayware files. (same as the av). So unless it was covered over those services, it wont be detected.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
mhe
Contributor II

VirtualPC is just a tool from Microsoft (like VMWare). I don' t want to install such a BHO on my PC... I downloaded this BHO by http, but there' s nothing in the logs so I think that our FG hasn' t detected it.. Do I have to enable it somewhere? What actions are taken when grayware is detected? Has anyone ever detected grayware???? martin
Not applicable

Yes, I have. Grayware is logged (in purple) in the Anti-Virus logs. To enable Grayware go to: Anti-Virus->Config and then the Grayware-tab. Enable all categories you want to check for.
Not applicable

We have just started a evaluating a demo unit, a 400A, and have enabled the Greyware option. It' s fairly efficient and while it doesn' t catch everything, its definatly adding to my log file size. Looks as if I have well over 900 entries from just the two sites I filtered my log on....todays log.
Wayne11
Contributor

Hi Martin I have exactly the same probs. All graywares are activated but nothing will be blocked. I also never saw some grayware detections in the logs. Regards Marco p.s. also from Switzerland
Not applicable

It' s been working great for me since 2.80 MR4. Take a peek at the screenshot below for an example from my logs of what you might see. The 4th entry from the top is an Adware entry. Hmmm... And I see I' m going to have to investigate what Mr. 192.168.1.97 is doing...
Wayne11

Great for you but my log looks like this
mhe
Contributor II

Hmm... Is this logged Adware using port 80? I have limited int -> ext to http and https. Does your FG also blocks the download (ext -> int) of Spyware (such as Hotbar)? regards martin
Not applicable

Is this logged Adware using port 80? I have limited int -> ext to http and https.
Yes, the entry I have in my logs is HTTP. The A/V scanner only works on files though: not requests. So for example, if someone already has hotbar installed on their system, if will not prevent hotbar from comminicating with it' s home servers. It might, however, prevent hotbar from being updated or from downloading any new additions since that would come in file form most likely. In order to prevent hotbar communications, you need to make an entry in the Web Filter / URL Block section on your FGT for hotbar.com. Then add that filtering to the protection profile you' re using for your Ext -> Int policy.
Does your FG also blocks the download (ext -> int) of Spyware (such as Hotbar)?
Yes, the FG will block some spyware. Hotbar does not appear to be on their list for some reason. I' m not sure why....
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors