FortiSandbox – Malware detection report

Hi all

I’ll show you an example of how a report looks like.

Let’s use a file detected as trojan:

This file was initially detected by my FortiSandbox before detection of AV and VT.

Let’s see what that file does on a XPVM:

Bildschirmfoto 2015-12-27 um 18.41.30

First you can see, that it does a loot of things on the filesystem and registry. This is a little bit difficult in the beginnings.

But this one is also interesting: hxxp://

You can use Automater from TekDefense or VT to see results of the URL:


____________________ Results found for: ____________________
[+] Fortinet URL Category: Malicious Websites
No results found in the Un Redirect
[+] IP from URLVoid:
[+] Blacklist from URLVoid: No results found
[+] Domain Age from URLVoid: 2015-12-14 (14 days ago)
[+] Geo Coordinates from URLVoid: 52.35 / 4.9167
[+] Country from URLVoid: (NL) Netherlands
[+] pDNS data from VirusTotal: No results found
[+] pDNS malicious URLs from VirusTotal: No results found
[+] Malc0de Date: No results found
[+] Malc0de IP: No results found
[+] Malc0de Country: No results found
[+] Malc0de ASN: No results found
[+] Malc0de ASN Name: No results found
[+] Malc0de MD5: No results found
No results found in the THIP
[+] McAfee Web Risk: High
[+] McAfee Web Category: Malicious Downloads
[+] McAfee Last Seen: 2015-12-27


To close the circle….

With FortiSandbox you know now a lot of things before AV is detecting this malicious file and it’s versions.

  • you are able to block “” on your proxy or webfilter
  • you can check logs for other files with same name
  • you can check proxy logs to see if someone is still connected to this malicious website
  • you can report to VT and/or FortiGuard Team


FortiSandox – What’s that

Hi all

FortiSandbox is an other piece in the malware fighting circle.

It closes the gap between no detection of files until a new AV signature is available.

See Wiki:

Some of you already know cuckoo sandbox -

FortiSandbox comes as a box with all the needful features, licenses inside.

But let us dive into how it works….

FortiGate – CLI commands to identify who is consuming your bandwidth

Hi all

I was searching for a quick solution to identify what’s happen on the firewall if users reporting very poor performance or a ping response for common websites grows up to hundrets of miliseconds.

Perhaps it’s a DDOS, Clients/Users doing wrong things or it’s just a missconfigured update service.

To identify what’s happen, you need to connect to CLI.

First you can clear the application statistics to identify what actually consuming your bandwidth.

diagnose stats app-stat-clear

Now you need to find out which application is the one who consumes your bandwidth – wait a minute to gather statistics

diagnose stats app-bandwidth

app=”SSL” appid=15895 total-sessions=59 bps=404657 bytes=404657
app=”Twitter” appid=16001 total-sessions=2 bps=137956 bytes=137956
app=”HTTP.BROWSER” appid=15893 total-sessions=50 bps=45220 bytes=45220
app=”iCloud” appid=29880 total-sessions=2 bps=21911 bytes=21911
app=”HTTP.BROWSER_Firefox” appid=34050 total-sessions=2 bps=4737 bytes=4737

This command shows a list of current application crossing your firewall. The first one is probably the interessting one. For further analysis you need the following command:

diagnose stats app-usage-ip <applicationID or Name>

diagnose stats app-usage-ip HTTP.BROWSER

app=”HTTP.BROWSER” total-usage=45220 total-sessions=50

ip=”″ total-sessions=16 bytes=14128
ip=”″ total-sessions=15 bytes=13417
ip=”″ total-sessions=12 bytes=10776
ip=”″ total-sessions=6 bytes=5298
ip=”″ total-sessions=1 bytes=1601

You find now a list of source addresses using this application. Now you have identified the source of the bandwidth consumer.

If you want to know more details about the session, you can filter the session list diagnose using the source ip.

diagnose sys session filter clear

diagnose sys session filter src <src ip>

diagnose sys session filter src

diagnose sys session list

You get now a list of all sessions from this source ip.

For me it’s a good way to quickly find which applications crossing the firewall and consuming your bandwidth.

FortiGate – IPS for #regin C&C IP


For those who don’t have a FortiAnalyzer to track abuse traffic to known #regin C&C servers here is a custom IPS signature for your FortiGate Firewall.
Please only use “detect” for this custom IPS and please test before use in production!

F-SBID(–attack_id 1003;  –name “Regin.C.C.IP.custom”; –protocol tcp; –dst_addr [,,,]; )

THX to @Kaspersky for detailed analysis

Have fun!

FortiAnalyzer – Event Handler for #regin


According to the big hype about #regin I build a FortiAnalyzer Event Handler to track sessions to known regin C&C servers (I know they will change….).

Here is a sample: (THX to @kaspersky for detailed analysis)

Name: Abuse – Regin CC

Log Type: Traffic Log

Event Category: Others

Log messages that match: All

Primary Filter: Status – Not Equal To – Deny

Generic Text Filter:

or dstip==
or dstip==
or dstip==

Notification: Configure your prefered notifications

With this Event Handler you get an Event Alert if any communication is etablished to C&C Servers.

Have fun.

FortiAnalyzer – Advanced Traffic Events for abuse traffic

I was looking for a quick method to get alerted, if some bad IP addresses get accessed by clients.
This  should only be a monitoring and alerting solution, not a blocking/protecting one.

To realize this requirement I came across “Event Monitoring” on my FortiAnalyzer.

It’s very simple to add a quick monitor to get alerted if clients are accessing bad IP’s.

How it works:

– Go to your FortiAnalyzer under “Event Management” you will find “Event handler”.

– Create a new handler for example: “Abuse – Test”

Bildschirmfoto 2014-11-03 um 21.11.58

You need to configure a filter – chose “Status Not Equal To DENY” and be sure that Log messages that match is set to “ALL”.

This setup generates an alert for all connections which are not blocked. To alert only the “bad ip’s” you should set a Generic Text Filter.

In our case:

(dstip==badip1 or dstip==badip2)

On the notification tab you can no configure syslog or email alerts for this specific event handler.

If you are lucky you can build your own Tracker for Bad IP lists.

For example you can use from Tracker. (Thanks to for your work!)


After this you’re able to get a event if a client connects to a bad ip.

Have fun.

Generate netsh Script with powershell

Today we’ve to create up to 50 DHCP Scopes to implement the vLAN concept with 802.1x network authorization.

To do this job by hand isn’t easy, so I create a powershell script which creates a netsh script out of a .csv file.

## SCRIPT………: Create-Scope.ps1
## AUTHOR………: sirhartmann
## EMAIL……….:
## VERSION……..: 1
## DATE………..: 2013.02.04
## DESCRIPTION….: Creates a CMD file to create numerous DHCP scopes
## NOTES……….: Requires CSV file with these fields: “SCOPER”,”MASK”,”NAME”,DESC” “ROUTER”,”STARTIP1″,”ENDIP1″,”STARTIP2″,”ENDIP2″,”DNSSUFFIX”,”BROADCAST”

# IP address of DHCP server
$DHCPServer1 = “”
$DHCPServer2 = “”

#IP address of DNS servers
$DNS1 = “”
$DNS2 = “”

# Name of output batch file
$outputfile1 = “D:\DHCPscopes.cmd”

# Read data from csv file D:\Input.csv

$scopes = Import-Csv ‘D:\input.csv’
foreach ($scope in $scopes) {
### DHCP Server 1
“netsh dhcp server $DHCPServer1 add scope ” + $scope.scoper + ” ” + $scope.mask + ” ” + $ + ” ” + $scope.desc >> $outputfile1
“netsh dhcp server $dhcpserver1 scope ” + $scope.scoper  + ” ” +  “set optionvalue 3 IPADDRESS”  + ” ” +  $scope.router >> $outputfile1
“netsh dhcp server $dhcpserver1 scope ” + $scope.scoper + ” ” +  “set optionvalue 6 IPADDRESS” + ” ” + $DNS1 + ” ” + $DNS2 >> $outputfile1
“netsh dhcp server $dhcpserver1 scope ” + $scope.scoper + ” ” + “set optionvalue 15 STRING” + ” ” + $scope.dnssuffix >> $outputfile1
“netsh dhcp server $dhcpserver1 scope ” + $scope.scoper  + ” ” + “add iprange” + ” ” +  $scope.startip1 + ” ” + $scope.endip1 >> $outputfile1
“netsh dhcp server $dhcpserver1 scope ” + $scope.scoper + ” ” + “set optionvalue 28 IPADDRESS” + ” ” + $scope.broadcast >> $outputfile1
“netsh dhcp server $dhcpserver1 scope ” + $scope.scoper + ” ” + “set optionvalue 51 DWORD 28800”  >> $outputfile1
“netsh dhcp server $DHCPserver1 scope ” + $scope.scoper + ” ” + “set state 0″ >> $outputfile1
” ” >> $outputfile1

foreach ($scope in $scopes) {
### DHCP Server 2
“netsh dhcp server $DHCPServer2 add scope ” + $scope.scoper + ” ” + $scope.mask + ” ” + $ + ” ” + $scope.desc >> $outputfile1
“netsh dhcp server $dhcpserver2 scope ” + $scope.scoper  + ” ” +  “set optionvalue 3 IPADDRESS”  + ” ” +  $scope.router >> $outputfile1
“netsh dhcp server $dhcpserver2 scope ” + $scope.scoper + ” ” +  “set optionvalue 6 IPADDRESS” + ” ” + $DNS1 + ” ” + $DNS2 >> $outputfile1
“netsh dhcp server $dhcpserver2 scope ” + $scope.scoper + ” ” + “set optionvalue 15 STRING” + ” ” + $scope.dnssuffix >> $outputfile1
“netsh dhcp server $dhcpserver2 scope ” + $scope.scoper  + ” ” + “add iprange” + ” ” +  $scope.startip2 + ” ” + $scope.endip2 >> $outputfile1
“netsh dhcp server $dhcpserver2 scope ” + $scope.scoper + ” ” + “set optionvalue 28 IPADDRESS” + ” ” + $scope.broadcast >> $outputfile1
“netsh dhcp server $dhcpserver2 scope ” + $scope.scoper + ” ” + “set optionvalue 51 DWORD 28800”  >> $outputfile1
“netsh dhcp server $DHCPserver2 scope ” + $scope.scoper + ” ” + “set state 0″ >> $outputfile1
” ” >> $outputfile1

# End of Script


CSV File:


Firewall: Part3 – Create a few rules to access the internet

Hi all

As in Part 2 you have created the first three rules to allow only trusted DNS Servers an block all other connections at the end.

Now it’s time to create some policies/rules to access the internet or your mails.

Internet access:

For your internet access you should create a policy like the following:

source: all internal
dest: all external
service: http, https
action: allow

To secure this connections you should enable websecurity, antivirus and intrusion protection on this policy. The settings varies from firewall to firewall. To be safe – enable NGFW features.

After this policy you should be able to connect to the internet.

Now it’s time to setup your mail service policies:
Before you can create a policy you should think about, what services you need.
– smtp
– pop3
– imap

If you know the service you need, then you can create your email firewall policy:

source: all internal
dest: your mail provider
service: smtp, pop3, imap (what ever you need – have a look at the FAQ of your email provider)
action: allow

To secure the connection – activate NGFW features on this policy too.

At the end of this part 3 you should be able to connect to the internet and receive/send emails.

Firewall: Part2 – Create your first important policies/rules

Hi all

First of all, I think you should create a few policies that are very important in every firewall implementation.

At the end of your ruleset you must create a DENY ALL “Last Rule”.
This rule is available on most firewalls by default – but should never be disabled from novice….

To secure your internal clients from compromised DNS Servers or DNS forwarders, you should implement a Rule for your two or three trusted DNS Server.
This rule looks like this:

source: all internal
destination: trust_dns_1, trust_dns_2
service: DNS
action: Allow

Following to this rule you must setup a block rule for all other DNS Servers like this:

source: all internal
destination: all external
service: DNS
action: Block

Now your clients can only connect to trusted DNS Servers. This means, that it’s not possible to compromise a DNS Server to redirect your clients to a malicious IP.

In the next Part we will discuss about the rules you need to access the internet or receive email and so on.