Hello Team,
We have an alert generated about an malicious file 642226271.ico located from user machine. The File path says like C:\Program Files\Fortinet\FortiClient\SoftwareInventory\642226271.ico
Need to know how this file got into the file path which has malicious reputation. User has not downloaded or tried to modify the file.
Are you using Forticlient EMS? Because there is a current EMS vulnerability(https://www.fortiguard.com/psirt/FG-IR-24-007) that is affecting EMS versions: **7.0.1 through 7.0.10** & **7.2.0 through 7.2.2**. Please ensure your EMS is up-to-date (7.2.3+ or 7.0.11+). For EMS on premise please take a EMS VM snapshot before running the upgrade. If your EMS server is already up-to-date this message can be ignore.
Make sure that Forticlient is running on updated version.
This looks like a false positive alert, FCT will collect in this path the icons of the installed software in the system. I see that you have already created a ticket with TAC support; you will receive more details in the ticket.
Usually it's users downloading garbage, but if it's on startup, RTR in and check the Run and RunOnce reg entries (youll have to getsid and "reg query HKU\[SID]\path\to\Run). Key may be there and may give you an idea. Could Investigate the machine for Powershell commands and scheduled tasks, and check the users AppData (assuming it's running as a user, usually is these days). Hope that helps.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.