Solved

Apps found forti in s computer

Posted on 2016-10-04
13
39 Views
Last Modified: 2016-10-16
We have a computer about to cleanup of one of the users and found a series of apps in memoerh that we can't find what they are used for yet the user insist that it's used for outside personal access his PC at will (apps found in memory are are fcdblog, fchelper64, fortiesnsc, fortisslvpndaemon, forritray, scheduler).

Please advice what they used for.
0
Comment
Question by:rayluvs
  • 7
  • 3
  • 3
13 Comments
 

Author Comment

by:rayluvs
ID: 41828953
Another thing, the apps are all under  fortinet\forticlient folder (we know fortinet is a firewall, antivirus, etc.).  We are understand that these apps are not used for remote access from another computer to this one, as in TeamViewer, but want EE opinion so we can show our boss.
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 41829112
0
 

Author Comment

by:rayluvs
ID: 41829116
Hahaha!

So ate you are saying that none of the apps, specially the SSL VPN, has nothing to do that permits outside computers to connect to the users?
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 41829183
I only looked at a couple of files.

He could be using Fortinet as per the document here http://docs.fortinet.com/uploaded/files/1086/fortigate-ipsec-vpn-50.pdf  Forticlient is part of Fortinet.

If he is doing that then Yes, he may every well have a VPN installed to his own home computer.

Fortinet for the VPN and Forticlient for the malware protection.
0
 

Author Comment

by:rayluvs
ID: 41830590
ok, so we are clear that the apps in memory are all pertaining to fortinet, correct?

The apps are used for in his pc, which is a notebook who takes also home, for him to connect to another computer? Not the other way around, somebody else connect to his notebook?
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 41830650
Well, don't know how he has it connected.  You have to take his word for that.

If he has his notebook at work he could be connecting from that to his home computer or another computer.  But if he takes it home why does he need Fortinet to connect to another computer at home?  A USB stick should be enough to transfer data.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:rayluvs
ID: 41831056
Think we didn't quite express our concerne.

The question is not "the notebook connecting to his home" or "if he is at home, he connects to another computer".  That is not concerne.  When we said in the the question that  "user insist that it's used for outside personal access his PC at will", what we meant is that user insist that someone else outside his home or office are using the fortinet apps installed in his notebook so they can connect to his notebook without his knowledge; like monitoring him.

Our little experience inclines that this is not the case.  And by your expert comments, it suggest that we are correct, that the apps described in our question cannot be used for another person outside the notebook to connect to his and monitor him.

Hope we cleared up our concerne.

That said, do you think that the fortinetclient apps installed in his notebook can be used by somebody outside his notebook and connect to his computer?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 41835164
The FortiClient needs to have an open connection, which is clearly visible. Otherwise it cannot be used. Usually the connection needs to be initiated manually; I cannot remember if you can set it up as always on.
Even if connected, the connection usually allows for access from the client to the remote network only, but the details can be set up in the remote FortiGate.
And this connection can only be a very specific one, to exactly one remote FortiGate.

It's very unlikely the FortiClient is used that way. And the user has full control whether the connection is open or not.
0
 

Author Comment

by:rayluvs
ID: 41835175
So the user may have been correct in his insistence in checking this out.

Question,
How can we know the connection has been initiated? Or is it automatic or manually?

Is there a way to verify in the remote FortiGate that it has been set that way?

Finally, if we find that is initiated, what would the apps be monitoring? Or as the question states,  what are they used for?

Thank you.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41835180
I'm not getting this. You clearly know which the remote FortiGate is. The user should know who installed and set up the client. If there is no purpose for the VPN, it is misused.

With an open VPN connection, all traffic can be redirected to pass the VPN. That traffic can be monitored that way. But no process control, screenwriting, local files or whatever else are in direct reach. To get at the file system, sharing needs to be enabled, and valid credentials used.

An open VPN connection is visible by looking at the tray icon.
0
 

Author Comment

by:rayluvs
ID: 41835201
Sorry if we mislead you to understand that we know which the remote FortiGate is; we don't (the reason for the question).  The user also doesn't known because as he puts it, he just gives his PC to the tech when there is trouble and also he has lent his PC to his associates (yes, the user is not technically security prone); the reason for our question.

Also according to the users he has never connected to us office remotely, so maybe there is a misuse?

So with an open VPN connection, his PC can be monitored and when you say "no process control" you mean that the malignant remite user cannot control the PC?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 41835296
All you need to do is look into the VPN configuration. The remote gateway is noted with IP or DNS name, and that should allow to track where it belongs to. I assume you want to know that?! Otherwise just remove the client

And regarding monitoring. the VPN could be the means to connect to a local process, which is able to perform monitoring of any kind. That is, there needs to be another process, but it could get started using the VPN connection - maybe.
0
 

Author Comment

by:rayluvs
ID: 41841374
We haven't been on the computer either apps to try he recommendations until tomorrow.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Suggested Solutions

Update 11/3/2014 - Although the below article will get you to relocate the WINSXS folder, Microsoft has finally released a utility to reduce the size of the WINSXS folder. For some reason, it's not that straightforward. It only works on Windows 2008…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now