hi Mohl, Ncolter,
i've setup the entire thing with an ATD Trial and let our developer adjust some code in the "atd_Publisher.py" to log to a seperate file.
When i execute for example "ransomware petya" in our ATD we receive allot of information in our log, but the BadIPList on the fortigate isn't updated. I also don't see the startup of the file "forti_push.py" in our log
In the analyzer profile on the ATD i disabled "Enable Malware Internet Access" for security reasons. We don't have a seperate internet breackout for testing.
My question:
Does an analyzer profile with dynamic analyze options enabled, capture network traffic of a threat with "Enable Malware Internet Access" disabled?
I presume the virus petya contains some Public IP's for C&C which needs to be pushed to the Fortigate
Fyi:
forti_push allready tested with "python forti_push.py 199.199.199.199" and this works
Thanks
Christophe