Video Review FortiClient- An issue to be resolved

Discussion in 'Video Reviews' started by cruelsister, Dec 16, 2017.

  1. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,419
    NYC
    Video Uploaded by:
    cruelsister
     
    done, RoboMan, Trickster and 18 others like this.
  2. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,187
    IRAN
    Windows 10
    ESET
    Cute cruelsister can you Plsss tell me how to protect boot?!Do i always need to check my Startup Entries before shutting down the pc?Btw I downloaded that music xd thanks for this great song:D
     
  3. Cats-4_Owners-2

    Cats-4_Owners-2 Level 37
    Trusted

    Dec 4, 2013
    2,658
    11,435
    Southern California (east of Los Angeles)
    Windows 10
    Kaspersky
    Thank you for a revealing test, cruelsister .

    PS The atmosphere set by your musical selection was haunting. :sneaky:Was it Celtic? :unsure:
    Mrs. Cats thought so..
     
  4. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,302
    Caille
    Windows 10
    There's other ways of automatically executing code at the boot of the environment. Such as through installed device drivers,or the registry to trick a program into loading a malicious DLL, etc. However, you can check Startup Entries for software through Task Manager usually (go to the Startup tab).

    For example, if a program stores the file path of a DLL on-disk via the registry so it knows the correct path when it starts up, the value to that key name can be hijacked to provide a path of a rogue DLL. Now when that said program starts up, the rogue DLL is loaded instead.

    A different example would be via AppInit_DLLs. Any modules set for this will be loaded in a newly started process as long as the architectures of compilation match, and that the process has User32.dll loaded (therefore affecting GUI processes only).
     
  5. Faybert

    Faybert Level 10
    AV Tester

    Jan 8, 2017
    459
    1,911
    Brasil
    Windows 10
    G-Data
    About the band "Clannad", is the name of one of my favorite anime (photo) :p [​IMG]
     
  6. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,187
    IRAN
    Windows 10
    ESET
    @Opcode
    Thank you very much, my friend!you are very helpful:D!sometimes I use Pchunter for this purpose! pls, see how good it is. everything you said is well covered.
     

    Attached Files:

  7. BryanB

    BryanB Level 3

    Aug 17, 2017
    114
    626
    Handyman
    MI
    Windows 7
    Default-Deny
    I think this kind of response is what pulled me into MT, your passion for the subject is clear and beautiful and rubs off, thanks.
     
    Andy Ful, Trickster, upnorth and 6 others like this.
  8. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    I sent this video to my Fortinet TAC guys for review so they can send this off to development.
     
    askmark, Trickster, BryanB and 13 others like this.
  9. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,302
    Caille
    Windows 10
    The image you posted shows that Yandex browser is auto-injecting a DLL into processes which load user32.dll (GUI processes), the file-name of the module implies they're performing API hooking within. Unless they have another injection method, if you build a program with no user32.dll or locally intercept Ldr*, you can block Yandex from injecting that module at ease and beat their self-protection/HIPS feature :cool:
     
    Andy Ful, harlan4096, ZeroDay and 4 others like this.
  10. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,170
    5,187
    IRAN
    Windows 10
    ESET
    #10 Sunshine-boy, Dec 16, 2017
    Last edited: Dec 16, 2017
    Don't learn ppl how to bypass my next generation browser.wtf lol
    @Opcode is 21st Century hacker:D
     
  11. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    280
    811
    Washington DC
    Windows 7
    Emsisoft
    The best protection for this stuff is Excubits MZwritescanner. If something drops a new dll anywhere on the system MZwritescanner detects it, alerts you and blocks it until you certain actions. Also does the same with exe,sys and bat files
     
    Andy Ful, upnorth, harlan4096 and 4 others like this.
  12. kuttan

    kuttan Level 9

    May 9, 2015
    404
    1,591
    Windows 10
    BitDefender
    Yet to see a 100% fool proof AV till date in my 17 years of PC experience and Forti is no exception. What differentiates Forti from other free AVs is its excellent web block, high quality racer sharp signatures, really low system resource usage and the newer version of Forti AV offer more security features which I haven't tried yet. Anyway a good test by @cruelsister that will help Forti developers to fix the vulnerability.
     
  13. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,419
    NYC
    I was wondering if I could get away with playing a Gaelic lullaby on a security video.

    Glad you guys liked it (it's soooo pretty...).

    Cats- I've said this before, but your lady has impeccable taste in music (and my Ophelia was on my lap as I made this one).
     
  14. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    280
    811
    Washington DC
    Windows 7
    Emsisoft
    I have to admit sometimes I find the music a bit annoying, but this one was outstanding. Well done.
     
  15. woodrowbone

    woodrowbone Level 8

    Dec 24, 2011
    356
    559
    Great vid M!
    Was it not you who said even your cat could hack a Forticlient firewall a year back :giggle:
    Did they shape up?

    /W
     
  16. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,419
    NYC
    Hi Woodrow! Yeah, Fortinet has indeed made advances in their product line over the past year as I stated in the video text. They are primarily an Enterprise Security company and are publically traded on the NASDAQ. It can be seen that they are growing fast and the value of the company over the past year has grown from an Enterprise value of about 4 billion USD to one of about 7.5 billion. Fortunately they have put some of their profits into R&D, and this has trickled down to improved malware detection by FortiClient (which really should be considered no more than a supplement to their excellent Security appliance).

    That being said, it is important to note that FortiClient, if used alone by a Home user, remains nothing more than a definition based anti-malware application. You bring up my cat- actually Ophelia did morph (I would never do such a thing myself being Kind and Gentle) a fast encryptor- an XData variant- that blew right past FortiClient.. But what would be the point of highlighting this? The worth of a traditional based AV can be seen in a valid logical argument:

    1). Product A is a definition only based security application;
    2). malware B is a true Zero-Day malware that no product has yet a definition against;

    therefore product A will Fail against malware B.

    As anyone in the field already knows this, and most Home users will not want to admit that it is true, why bother to darken anyone's day by including this in the video? Ophelia was actually pissed that I didn't use her malware, but I got her a block of 10 year aged Cheddar from Wisconsin and she forgave me. Never fails...

    M
     
  17. TerrakionSmash

    TerrakionSmash Level 16

    Nov 17, 2016
    750
    2,127
    Somewhere underwater or over water. I am water!
    Windows 10
    Microsoft
    @cruelsister I'm starting to think you yourself is a cat.
     
  18. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    #18 Slyguy, Dec 18, 2017
    Last edited: Dec 18, 2017
    From FortiOS 4.x to 5.0.x Fortinet was soundly in the 'average' territory at best. They started pouring resources into R&D and expansion of their threat lab and analyst personnel in FortiOS 5.2.x. This took several years to mature, culminating in the overdue 5.4.x series. But 5.6.x pushes Fortinet into new, more powerful territories for sure and it should be considered one of the premier UTM/NGFW enterprise grade devices. It's exceeded expectations with all of the certification labs without a doubt and is a leader in ROI among the top players.

    FortiClient has benefited some from these advances but more R&D is going into it by the month because of the EMS as part of the Security Fabric. The end goal is to make FortiClient a word class endpoint threat management solution. Which is why from 5.6.0 to 5.6.2 you've seen many features and technology added, such as the anti-exploit module. This advancement will continue as the EMS is pushed for wide adoption.

    Watch: An Introduction to FortiClient EMS

    Free users benefit from a portion of all of these advances but must realize they won't benefit from all of them simply because of the fact they don't have the EMS or a FortiGate deployed, nor the incredibly important FortiSandbox.

    They'll still have world class signatures (including Zoo if enabled), Solid Heuristics, Fantastic Web Filtration, Exploit Protection and Dynamic Threat Detection. All of which should be sufficient for general home use as a free solution, especially considering the power of its web filtration. The real way to test FortiClient is to toss it on a test machine on a DMZ and let people hammer it until it dies. Let me know the results then. (glances over at the lab with dozens of honeypot boxes doing just that) You might be surprised. Hence, my recommendation of FortiClient for folks looking for a free solution not full of cleaners, optimizers, widgets, gadgets and gizmos - just solid protection.

    Something to keep in mind on the latest AVC Real World Results where FortiClient scored 98.9% - 1) They were using 5.6 proper, not 5.6.2 - which has additional protection/features.. 2) They didn't have FortiSandbox active on the FortiGate. So while they did test it behind a FortiGate, a crucial component was missing when tested, that FortiSandbox is the ATP/Zero Day detection unit.
     
  19. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    #19 Slyguy, Dec 18, 2017
    Last edited: Dec 18, 2017
    I'm told Fortinet is investigating the video.

    Note that in the video the Anti-Botnet, Anti-Exploit and Dynamic Threat Detection are all 'disabled'. The product was really functioning as a pure signature based AV in the video without the benefit of the other protection modules working in concert.
     
  20. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,419
    NYC
    Sly- The advanced features are part of the Endpoint product, with the Advanced Threat protection working through FortiSandbox.

    So the free FortiClient product is indeed just a traditional AV product.
     
Loading...
Similar Threads Forum Date
FortiClient compatibility with the Microsoft Security update of January 3, 2018 - Meltdown Other Security for Windows Jan 4, 2018
Update FortiClient (Windows) 5.6.2 Other Security for Windows Dec 11, 2017
Does FortiClient Av contain a BB? Other Security for Windows Aug 17, 2017