HTTP EVADER

leonardo_ortiz · ‎08-07-2018

Hello.

Fortigate can't pass in http evader tests from noxxi.de, using SSL Deep Inspection, AV, IPS etc. Running last FortiOS 5.6.

Have some recommendation or best pratice for attacks like this?

Test: https://noxxi.de/research/http-evader-testsite.html

Hosemacht · ‎08-07-2018

Hey there,

yes fortios 5.6 can pass this test.

update to the latest 5.6 (5.6.5) and then

you have to enable av heuristics and most important use the extendet ips database and then set Action to block

in the security profiles.

if you use "default" instead of "block" in the ips profile, the eicar Virus will not be blocked.

run the test again

sudo apt-get-rekt

OberonX · ‎01-09-2020

Hi, I followed the steps mentioned but I still don't pass the evader test, I´m running FortiOS 6.0.8 version

Hosemacht · ‎01-09-2020

Hey there,

please have a look at you ips logs, are there any eicar virus test file messages and are they blocked?

Regards

sudo apt-get-rekt

Hosemacht · ‎01-10-2020

today i did another test from the http evader site, all eicar.zip files were blocked by our fortigate alongside

with other ips attacks.

We're currently on FortiOS 6.0.7

Regards from the Alps

sudo apt-get-rekt

OberonX · ‎01-10-2020

Additionally enable the option indicated in Antivirus the option of

Use Virus Outbreak Prevention Database

Use FortiSandbox Database

With this enabled it still appears as if it were evading but the EICAR file is no longer downloaded but a text file

[image]https://forum.fortinet.com/[/image]

Hosemacht · ‎01-14-2020

Your logs tell me that you are using the default ips profile.

please check if you enabled all signature severenitys and set the action to block.

run the test again.

Regards

sudo apt-get-rekt