Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ali_Jassim
New Contributor III

Ransomware Infections Reported Worldwide WannaCry

Greetings to you

I would like to know how mach forticlient take to update their AV database!? now there as new ransomware called [size="3"]WannaCry hitting computers ! did forticlient update their AV signature ? to detect this attack ? [/size]

1 Solution
ede_pfau
SuperUser
SuperUser

Yes. FortuGuard reported this in a blog post dated May 12, 2017:

http://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware

 

Fortinet has published an IPS signature as well as an AV signature update to fight this virus.

BTW, this was the first hit on Google with "FortiGuard wannacry".

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
5 REPLIES 5
ede_pfau
SuperUser
SuperUser

Yes. FortuGuard reported this in a blog post dated May 12, 2017:

http://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware

 

Fortinet has published an IPS signature as well as an AV signature update to fight this virus.

BTW, this was the first hit on Google with "FortiGuard wannacry".

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
tanr
Valued Contributor II

The IPS signature, MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution, has target type Server, even though the IPS description says this also effects Windows 7, 8, etc.  

See https://fortiguard.com/encyclopedia/ips/43796 for the description.

 

So the IPS signature won't automatically protect client systems if your IPS sensors' filters have Location: Clients.

 

I noticed that MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution is also listed under IPS "Rate Based Signatures" for each IPS sensor, though it is disabled.  Anybody know if you can set threshold and duration for a rate based signature so it blocks on the first one?

 

 

 

tanr
Valued Contributor II

Forgot to add, I just added the MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution, set to block, as a specific IPS signature for each of my IPS Windows client sensor profiles. 

 

simonpt
New Contributor III

@tanr: I also noticed that the IPS signature wasn't targeting clients.  I've done what you suggested and manually added it to our IPS client sensor profile.  It appears under Rate Based Signatures and is enabled by default with a threshold of zero, which hopefully means that it will block on the first attack.

Mutallib

Can someone list the manual IPS signature.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors