Video FortiClient- An issue to be resolved

D

Deleted member 65228

Guest
#4
Do i always need to check my Startup Entries before shutting down the pc?
There's other ways of automatically executing code at the boot of the environment. Such as through installed device drivers,or the registry to trick a program into loading a malicious DLL, etc. However, you can check Startup Entries for software through Task Manager usually (go to the Startup tab).

For example, if a program stores the file path of a DLL on-disk via the registry so it knows the correct path when it starts up, the value to that key name can be hijacked to provide a path of a rogue DLL. Now when that said program starts up, the rogue DLL is loaded instead.

A different example would be via AppInit_DLLs. Any modules set for this will be loaded in a newly started process as long as the architectures of compilation match, and that the process has User32.dll loaded (therefore affecting GUI processes only).
 

BryanB

Level 13
Verified
Joined
Aug 17, 2017
Messages
601
OS
Windows 10
Antivirus
Microsoft
#7
There's other ways of automatically executing code at the boot of the environment. Such as through installed device drivers,or the registry to trick a program into loading a malicious DLL, etc. However, you can check Startup Entries for software through Task Manager usually (go to the Startup tab).

For example, if a program stores the file path of a DLL on-disk via the registry so it knows the correct path when it starts up, the value to that key name can be hijacked to provide a path of a rogue DLL. Now when that said program starts up, the rogue DLL is loaded instead.

A different example would be via AppInit_DLLs. Any modules set for this will be loaded in a newly started process as long as the architectures of compilation match, and that the process has User32.dll loaded (therefore affecting GUI processes only).
I think this kind of response is what pulled me into MT, your passion for the subject is clear and beautiful and rubs off, thanks.
 
D

Deleted member 65228

Guest
#9
sometimes I use Pchunter for this purpose
The image you posted shows that Yandex browser is auto-injecting a DLL into processes which load user32.dll (GUI processes), the file-name of the module implies they're performing API hooking within. Unless they have another injection method, if you build a program with no user32.dll or locally intercept Ldr*, you can block Yandex from injecting that module at ease and beat their self-protection/HIPS feature :cool:
 

Peter2150

Level 7
Verified
Joined
Oct 24, 2015
Messages
300
OS
Windows 7
Antivirus
Emsisoft
#11
There's other ways of automatically executing code at the boot of the environment. Such as through installed device drivers,or the registry to trick a program into loading a malicious DLL, etc. However, you can check Startup Entries for software through Task Manager usually (go to the Startup tab).

For example, if a program stores the file path of a DLL on-disk via the registry so it knows the correct path when it starts up, the value to that key name can be hijacked to provide a path of a rogue DLL. Now when that said program starts up, the rogue DLL is loaded instead.

A different example would be via AppInit_DLLs. Any modules set for this will be loaded in a newly started process as long as the architectures of compilation match, and that the process has User32.dll loaded (therefore affecting GUI processes only).
The best protection for this stuff is Excubits MZwritescanner. If something drops a new dll anywhere on the system MZwritescanner detects it, alerts you and blocks it until you certain actions. Also does the same with exe,sys and bat files
 

kuttan

Level 10
Verified
Joined
May 9, 2015
Messages
461
OS
Windows 10
Antivirus
Kaspersky
#12
Yet to see a 100% fool proof AV till date in my 17 years of PC experience and Forti is no exception. What differentiates Forti from other free AVs is its excellent web block, high quality racer sharp signatures, really low system resource usage and the newer version of Forti AV offer more security features which I haven't tried yet. Anyway a good test by @cruelsister that will help Forti developers to fix the vulnerability.
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,512
#13
I was wondering if I could get away with playing a Gaelic lullaby on a security video.

Glad you guys liked it (it's soooo pretty...).

Cats- I've said this before, but your lady has impeccable taste in music (and my Ophelia was on my lap as I made this one).
 

Peter2150

Level 7
Verified
Joined
Oct 24, 2015
Messages
300
OS
Windows 7
Antivirus
Emsisoft
#14
I was wondering if I could get away with playing a Gaelic lullaby on a security video.

Glad you guys liked it (it's soooo pretty...).

Cats- I've said this before, but your lady has impeccable taste in music (and my Ophelia was on my lap as I made this one).
I have to admit sometimes I find the music a bit annoying, but this one was outstanding. Well done.
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,512
#16
Hi Woodrow! Yeah, Fortinet has indeed made advances in their product line over the past year as I stated in the video text. They are primarily an Enterprise Security company and are publically traded on the NASDAQ. It can be seen that they are growing fast and the value of the company over the past year has grown from an Enterprise value of about 4 billion USD to one of about 7.5 billion. Fortunately they have put some of their profits into R&D, and this has trickled down to improved malware detection by FortiClient (which really should be considered no more than a supplement to their excellent Security appliance).

That being said, it is important to note that FortiClient, if used alone by a Home user, remains nothing more than a definition based anti-malware application. You bring up my cat- actually Ophelia did morph (I would never do such a thing myself being Kind and Gentle) a fast encryptor- an XData variant- that blew right past FortiClient.. But what would be the point of highlighting this? The worth of a traditional based AV can be seen in a valid logical argument:

1). Product A is a definition only based security application;
2). malware B is a true Zero-Day malware that no product has yet a definition against;

therefore product A will Fail against malware B.

As anyone in the field already knows this, and most Home users will not want to admit that it is true, why bother to darken anyone's day by including this in the video? Ophelia was actually pissed that I didn't use her malware, but I got her a block of 10 year aged Cheddar from Wisconsin and she forgave me. Never fails...

M
 

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,636
OS
Other OS
#18
From FortiOS 4.x to 5.0.x Fortinet was soundly in the 'average' territory at best. They started pouring resources into R&D and expansion of their threat lab and analyst personnel in FortiOS 5.2.x. This took several years to mature, culminating in the overdue 5.4.x series. But 5.6.x pushes Fortinet into new, more powerful territories for sure and it should be considered one of the premier UTM/NGFW enterprise grade devices. It's exceeded expectations with all of the certification labs without a doubt and is a leader in ROI among the top players.

FortiClient has benefited some from these advances but more R&D is going into it by the month because of the EMS as part of the Security Fabric. The end goal is to make FortiClient a word class endpoint threat management solution. Which is why from 5.6.0 to 5.6.2 you've seen many features and technology added, such as the anti-exploit module. This advancement will continue as the EMS is pushed for wide adoption.

Watch: An Introduction to FortiClient EMS

Free users benefit from a portion of all of these advances but must realize they won't benefit from all of them simply because of the fact they don't have the EMS or a FortiGate deployed, nor the incredibly important FortiSandbox.

They'll still have world class signatures (including Zoo if enabled), Solid Heuristics, Fantastic Web Filtration, Exploit Protection and Dynamic Threat Detection. All of which should be sufficient for general home use as a free solution, especially considering the power of its web filtration. The real way to test FortiClient is to toss it on a test machine on a DMZ and let people hammer it until it dies. Let me know the results then. (glances over at the lab with dozens of honeypot boxes doing just that) You might be surprised. Hence, my recommendation of FortiClient for folks looking for a free solution not full of cleaners, optimizers, widgets, gadgets and gizmos - just solid protection.

Something to keep in mind on the latest AVC Real World Results where FortiClient scored 98.9% - 1) They were using 5.6 proper, not 5.6.2 - which has additional protection/features.. 2) They didn't have FortiSandbox active on the FortiGate. So while they did test it behind a FortiGate, a crucial component was missing when tested, that FortiSandbox is the ATP/Zero Day detection unit.
 
Last edited:

Slyguy

Level 37
Verified
Joined
Jan 27, 2017
Messages
2,636
OS
Other OS
#19
I'm told Fortinet is investigating the video.

Hey Sly,
Thanks for sending this video I've forwarded it to our development team for investigation. I will update you once i hear from them.

Regards,
OG
Fortinet TAC Engineer, Americas
Note that in the video the Anti-Botnet, Anti-Exploit and Dynamic Threat Detection are all 'disabled'. The product was really functioning as a pure signature based AV in the video without the benefit of the other protection modules working in concert.
 
Last edited: