WSM Cyclops Blink Detector
You can use the WatchGuard System Manager Cyclops Blink Detector to determine if your Firebox is affected by Cyclops Blink. The tool can scan single locally-managed and cloud-managed Fireboxes, as well as scan single or multiple Fireboxes managed by WSM Management Server.
Other detection tools are available online and from WatchGuard Cloud. For more information, see the Diagnose section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan.
To scan devices in a FireCluster, we recommend that you upload diagnostic log files (support.tgz) to the Cyclops Blink Web Detector at detection.watchguard.com. The WSM Cyclops Blink Detector can only scan a cluster member if WSM can connect to the management IP address of the device.
Install WatchGuard System Manager Cyclops Blink Detector
Cyclops Blink Detector is included with WSM 12.7.2 Update 2 or higher. Download the latest version of WSM from the WatchGuard Software Downloads Center.
You can open the Cyclops Blink Detector from the WSM user interface or directly from C:\Program Files (x86)\WatchGuard\wsm11\fcd\bin\fcd.exe.
Scan Single Locally-Managed or Cloud-Managed Devices
For locally-managed and cloud-managed devices, you can scan single Fireboxes.
To run the WSM Cyclops Blink Detector, for a locally-managed or cloud-managed device:
- Open WSM.
- Select Tools > Cyclops Blink Detector.
Or, connect to the device to scan, right-click the device, and select Cyclops Blink Detector.
Or, connect to a FireCluster, right-click the cluster member to scan, and select Cyclops Blink Detector. - In the Firebox IP Address text box, type the IP address or FQDN of the Firebox you want to scan. If you selected a device in the previous step, its IP address appears automatically.
- In the Username and Password text boxes, type the credentials for a Device Administrator (read-write) user account.
- In the Domain text box, specify the authentication server for the user account. Firebox-DB is selected by default. If you use Active Directory or RADIUS, type the server domain name specified in the Firebox configuration.
- From the Management drop-down list, select the method to connect to the Firebox:
- Fireware Web UI/WatchGuard Cloud — Select this option for cloud-managed or locally-managed Fireboxes.
- WatchGuard System Manager — Select this option for locally-managed Fireboxes only.
- If you selected Fireware Web UI/WatchGuard Cloud from the drop-down list, and you previously changed the port used to connect to Fireware Web UI on the Firebox, type the port number in the text box.
- Click Scan. The tool connects to the Firebox and starts to scan. When complete, one of these results appears in the Results section:
- This Firebox is infected with Cyclops Blink botnet. You must immediately follow the steps in the Remediation section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan. If you cannot remediate immediately, we recommend you take the Firebox offline.
- No indicators of the Cyclops Blink botnet are detected. You must immediately follow the steps in the Prevent section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan to protect your Firebox.
If you see an error in the Results section, verify that the Firebox IP address, username, password, and domain you provided are correct.
Scan Devices Managed by Management Server
For Fireboxes managed by Management Server, you can scan single devices, all devices, or only the devices in a specific device folder.
To scan Fireboxes managed by WSM Management Server, your management computer must be able to connect to both the Management Server and the Fireboxes you want to scan. Scans initiate from WSM on your management computer and do not go through the WSM Management Server.
For a FireCluster, you can scan each cluster member individually, or, to scan both cluster members, scan the folder that contains the FireCluster or the top-level Devices folder. If you scan the FireCluster node, only the cluster master is scanned.
The WSM Cyclops Blink Detector tool can scan a maximum of 1300 devices in a folder at a time.
To run the WSM Cyclops Blink Detector, for a single managed device:
- Open WSM.
- Select File > Connect to Server and connect to your Management Server.
- On the Device Management tab, select the device to scan, then select Tools > Cyclops Blink Detector.
Or, right-click the device and select Cyclops Blink Detector.
Or, expand a FireCluster, right-click the cluster member to scan, and select Cyclops Blink Detector. - The tool automatically connects to the managed device and runs. When the scan is complete, one of these results appears in the Results section:
- This Firebox is infected with Cyclops Blink botnet. You must immediately follow the steps in the Remediation section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan. If you cannot remediate immediately, we recommend you take the Firebox offline.
- No indicators of the Cyclops Blink botnet are detected. You must immediately follow the steps in the Prevent section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan to protect your Firebox.
If you see an error in the Results section, verify that the managed Firebox has an IP address, and has no other issues.
To run WSM Cyclops Blink Detector, for multiple managed devices:
- Open WSM.
- Select File > Connect to Server and connect to your Management Server.
- Select the Device Management tab.
- Do one of the following:
- To scan all managed devices, right-click the top-level Devices folder, and select Cyclops Blink Detector. All folders and subfolders are scanned.
- To scan devices in a specific folder, right-click the folder, and select Cyclops Blink Detector. Only the selected folder is scanned; no subfolders are scanned.
- Queued — The Firebox has not been scanned yet.
- Scanning — The tool is scanning the Firebox.
- Not detected — You must immediately follow the steps in the Prevent section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan to protect your Firebox.
- Detected — You must immediately follow the steps in the Remediation section of the 4-Step Cyclops Blink Diagnosis and Remediation Plan. If you cannot remediate immediately, we recommend you take the Firebox offline.
- Stopped — Scanning stopped because a user clicked Stop.
- Inconclusive — Scanning stopped because an error occurred during detection.
- Error — An error occurred, usually because the tool could not connect to the Firebox. Verify that the managed Firebox has an IP address, and has no other issues.
If you selected a large number of devices, it might take some time for all results to appear.
For each Firebox, a row appears in the Results section. One of these results appears in the Status column:
You can copy the text from the Results section. The tool also saves the results to a CSV file named results.CSV. The default path to the results file is:
C:\Users\<username>\AppData\Roaming\WatchGuard\fcd\