Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khoo
New Contributor

antivirus keep detecting unknown virus/botnet

We using 100D, at last week , out of sudden the antivirus keep detecting unknown virus/botnet cause the firewall block all internet access, and we notice the antivirus keep updating the definition therefore we change the antivirus become monitor only, now the antivirus update running each 10 minutes but the antivirus still detecting unknown. Is there anyway to solve the issue?

33 REPLIES 33
digimetrica
New Contributor

I still have the ticket opened and asked them to eventually check this tbread (don'tk now if they do) :)

I just hope this thing keeps working, at least for the weekend.

 

I'll let you know on monday

Paul_S

digimetrica wrote:

I still have the ticket opened and asked them to eventually check this tbread (don'tk now if they do) :)

I just hope this thing keeps working, at least for the weekend.

 

I'll let you know on monday

 

The unofficial word is that is most likely a bug. hopefully they will corner the bug and fix it in 5.2.4, but if 5.2.4 enter testing phase before they patch this, then we may have to wait longer for a patch.

 

My plan with my new cluster is to deploy (v5.2.3) in A-A with unit 0 set to weight 255 and unit 1 set to weight 1. then when the bug is patched I will adjust the weights.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
digimetrica
New Contributor

Same. It happened to me this morning.

The customer called very angry :)

 

SO it appears AV engine gets broken after 1-2 days.

 

Hoe for a quick fix

 

Ok, their support aknowledge this is a bug that will be fixed in 5.2.4 .

They suggest to use A-P mode in the meantime

Paul_S
Contributor

UPDATE 7-6-2015

 

I now have my new FG200D pair at my desk for deployment preparation and I still have an open ticket (FG200B) regarding this issue (AV DB corruption on slave unit when cluster is active-acitve).

 

Original plan:

my plan was to keep following fortinet support direction on FG200B to get this bug "caught", then to deploy new cluster with slave united weighted to 1 and master to 255. then wait for bug fix in 5.2.4 (assuming it makes it into 5.2.4), deploy 5.2.4 to new cluster, change weights to more normal values 40/40 or 100/100.

 

New info from Fortinet Support:

Fortinet support just told me that this issue is affecting multiple customers, but not a majority of them, only a minority of clusters. They also said that they doubt the issue will happen on my new cluster, but that it was possible. They also mentioned that issue seems much more likely on older hardware than on newer hardware.

 

Support suggested that I format the entire boot device and reload the firmware. This implies that they suspect the issue is not a bug but some sort of bad/corrupt data that does not get purged during regular AV updates or during regular firmware updates.

 

New plan that I am considering:

Stop troubleshooting on FG200B, deploy FG200D pair with A-A mode and equal weights (40/40 or 100/100). See if issue happens again. pursue with support as needed.

 

 

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Top Kudoed Authors