Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leonardo_ortiz
New Contributor

HTTP EVADER

Hello.

 

Fortigate can't pass in http evader tests from noxxi.de, using SSL Deep Inspection, AV, IPS etc. Running last FortiOS 5.6.

Have some recommendation or best pratice for attacks like this?

Test: https://noxxi.de/research/http-evader-testsite.html

 

6 REPLIES 6
Hosemacht
Contributor II

Hey there,

 

yes fortios 5.6 can pass this test.

 

update to the latest 5.6 (5.6.5) and then

you have to enable av heuristics and most important use the extendet ips database and then set Action to block

in the security profiles.

if you use "default" instead of "block" in the ips profile, the eicar Virus will not be blocked.

 

run the test again

sudo apt-get-rekt

sudo apt-get-rekt
OberonX

Hi, I followed the steps mentioned but I still don't pass the evader test, I´m running FortiOS 6.0.8 version

Hosemacht

Hey there,

 

please have a look at you ips logs, are there any eicar virus test file messages and are they blocked?

 

Regards

sudo apt-get-rekt

sudo apt-get-rekt
Hosemacht

today i did another test from the http evader site, all eicar.zip files were blocked by our fortigate alongside

with other ips attacks.

 

We're currently on FortiOS 6.0.7

 

Regards from the Alps

sudo apt-get-rekt

sudo apt-get-rekt
OberonX

Additionally enable the option indicated in Antivirus the option of

Use Virus Outbreak Prevention Database

Use FortiSandbox Database

With this enabled it still appears as if it were evading but the EICAR file is no longer downloaded but a text file

[image]https://forum.fortinet.com/[/image]

 
Hosemacht

Your logs tell me that you are using the default ips profile.

please check if you enabled all signature severenitys and set the action to block.

 

run the test again.

 

Regards

sudo apt-get-rekt

sudo apt-get-rekt
Top Kudoed Authors