Greetings to you
I would like to know how mach forticlient take to update their AV database!? now there as new ransomware called [size="3"]WannaCry hitting computers ! did forticlient update their AV signature ? to detect this attack ? [/size]
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes. FortuGuard reported this in a blog post dated May 12, 2017:
http://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware
Fortinet has published an IPS signature as well as an AV signature update to fight this virus.
BTW, this was the first hit on Google with "FortiGuard wannacry".
Yes. FortuGuard reported this in a blog post dated May 12, 2017:
http://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware
Fortinet has published an IPS signature as well as an AV signature update to fight this virus.
BTW, this was the first hit on Google with "FortiGuard wannacry".
The IPS signature, MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution, has target type Server, even though the IPS description says this also effects Windows 7, 8, etc.
See https://fortiguard.com/encyclopedia/ips/43796 for the description.
So the IPS signature won't automatically protect client systems if your IPS sensors' filters have Location: Clients.
I noticed that MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution is also listed under IPS "Rate Based Signatures" for each IPS sensor, though it is disabled. Anybody know if you can set threshold and duration for a rate based signature so it blocks on the first one?
Forgot to add, I just added the MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution, set to block, as a specific IPS signature for each of my IPS Windows client sensor profiles.
@tanr: I also noticed that the IPS signature wasn't targeting clients. I've done what you suggested and manually added it to our IPS client sensor profile. It appears under Rate Based Signatures and is enabled by default with a threshold of zero, which hopefully means that it will block on the first attack.
Can someone list the manual IPS signature.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.