Compromised Hosts / DNS Servers
I'm poking around Compromised Hosts ... thus far, only my DNS servers are showing up
* Drilling in, I see uniformly that the Detect Method is 'infected-domain'
* What do other people do? Do you just live with all your DNS servers topping the Compromised Hosts display?
Seems to me that this is hard problem. Yes, it is possible that malware living on the DNS servers is emitting DNS look-ups for malicious sites ... but ... more likely, the DNS servers are just forwarding requests from infected clients. And, from a narrow Fortigate / Fortianalyzer point of view, there isn't sufficient information to track down these clients. So ... I would expect to see all my DNS servers on the Compromised Hosts list 7x24 ... and this isn't actionable information
Since I'm not going to do anything about these entries, I would like to remove them from the list. Is there a white-list feature? I haven't found it