Article Id
196319
Description
The Conficker virus or worm is specific in that it does not use FortiGate standard ports which can be scanned by AV. Conficker uses Netbios and IPC ports to propagate through a network. It uses server service vulnerability to exploit the station and install itself on it.
Because of this activity only IPS signatures with custom overrides can be used.
The following articles contain more information about this particular virus:
Because of this activity only IPS signatures with custom overrides can be used.
The following articles contain more information about this particular virus:
- http://vil.nai.com/vil/content/v_153464.htm
- http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
- http://www.fortiguard.com/encyclopedia/virus/w32_conficker.b%21worm.html
Solution
Protecting against this virus can be done by blocking affected ports. If users cannot block these ports (and most probably admin will not be able to block 137-139 and 445 on LAN) not much can be done on the FortiGate to prevent worm propagation. FortiGate antivirus scans HTTP/FTP/SMTP/POP3/IMAP/IM/NNTP traffic, but Conficker uses completely different services to infect and propagate.
Blocking Netbios and IPC between VLANs and then patching and cleaning infected machines is also one way to protect. This is basically equivalent to shutting down all clients and then starting them one by one cleaning and patching then before power up next station. This is a lot of work and cannot guarantee that the virus is not lying dormant and ready to spread again.
The following steps illustrate how to use FortiOS IPS and IPS signatures to stop this virus from spreading through a network.
Blocking Netbios and IPC between VLANs and then patching and cleaning infected machines is also one way to protect. This is basically equivalent to shutting down all clients and then starting them one by one cleaning and patching then before power up next station. This is a lot of work and cannot guarantee that the virus is not lying dormant and ready to spread again.
The following steps illustrate how to use FortiOS IPS and IPS signatures to stop this virus from spreading through a network.
The Fortinet FortiGate does have an IPS signature named 'MS.DCERPC.NETAPI32.Buffer.Overflow' for the MS08-067 vulnerability that all Conficker variants use to propagate.
In order to stop this worm from entering or propagating through a network:
In order to stop this worm from entering or propagating through a network:
1. The protection profile must be enabled in traffic policies.
2. In the selected protection profile, enable IPS.
3. Ensure that the signature 'MS.DCERPC.NETAPI32.Buffer.Overflow' action is set to drop.
To change an IPS Signature default Action.
1. FortiOS v3.0
To change IPS signature behaviour, edit IPS sensor (Intrusion Protection > ISP sensor > edit ... sensor).
Add predefined override > Choose required signature > Set it to enable > and change action as needed.
2. FortiOS v4.0
To change IPS signature behaviour, edit IPS sensor (UTM > ISP sensor > edit ... sensor ).
Add predefined override > Choose required signature > Set it to enable > and change action as needed.
Related Articles
