Some more words on this one: FTNT has several modules for Botnet / C2 Detection and Prevention:
Botnet IP Database
Botnet Domain Database
IPS Botnet Signatures
Webfilter Category Malicious Websites
Application Control Botnet (up to FortiOS 5.4)
I raised a ticket about the Botnet IP / Domain Database not being up tp date with the known Emotet infrastructure:
"[...] The Emotet Infrastructure is back online today (https://twitter.com/certb...s/1164803474497761286)https://paste.cryptolaemu...are-IoCs_06-21-19.html
We have checked the known list of Emotet C2 IPs against the list of Fortiguard Botnet IPs.
I seems that none of these known C2 IPs of Emotet are used within the Fortiguard Botnet Database. [...]"
FTNT support refered to the Fortiguard Team - https://fortiguard.com/faq/generalcontact
- but there was no reply.
I called the support again, but it did not work out. TAC asks about a providing a sample and is not helpful in explaining the FTNT best practice for detection of infected clients. It seems that support is not aware of a high level apporach.
My experience is:
1/ Botnet IP DB and Botnet Domain DB is not maintaned and not kept up to date for current threats such as emotet. Thats really bad because the protection is easy to deploy interface based.
2/ The IPS botnet signatures are quite good (e.g. Emotet.Cridex) but the implementation is really bad, because of the missing category and the ambiguity of botnet signatures in IPS context. (IPS was designed to protect a client or server from being exploited - the botnet signatures are indicators of a client who has been compromised)
3/ The Webfilter Malicious Websites is the most important module used by fortinet to prevent malware staging such as Emotet. A lot of the Emotet IOCs are categorized as malicious websites. e.g. https://fortiguard.com/search?q=http%3A%2F%2Fnekobiz.ikie3.com%2Fwp-includes%2F2w52077%2F&engine=1
We have setup FGT-Webfilter and block security risk websites (Malicious, Phishing, SPAM URLs) for all outbound internet traffic. If you rely on the Botnet DB only you miss a lot of potential.
The drawback of Webfilter is: There are such a lot false positives in security risk websites. Re-Evaluation is done by a specialised team only on request https://fortiguard.com/faq/malurl
We do have several 'rating errors' on high traffic load which result in missing detections of malicious websites.
We have an open support ticket on this issue as well...