Does FortiClient Av contain a BB?

Status
Not open for further replies.
Fel Grossi

Fel Grossi

Level 13
Verified
Top Poster
Well-known
Jan 17, 2014
627
I installed Forticlient yesterday, to use with my CF just to see this new version and I came across this new option, which translated into English means:

"Dynamic Threat Detection Using Threat Intelligence Data"

Has anyone tested and could tell how efficient this dynamic detection is?
5yxgrp.jpg
 
  • Like
Reactions: Cats-4_Owners-2, vtqhtr413, Handsome Recluse and 2 others
F

ForgottenSeer 58943

Felipe Oliveira said:
I installed Forticlient yesterday, to use with my CF just to see this new version and I came across this new option, which translated into English means:

"Dynamic Threat Detection Using Threat Intelligence Data"

Has anyone tested and could tell how efficient this dynamic detection is?
5yxgrp.jpg
Click to expand...

There are two additional technologies in the latest Forticlient.

1) Anti-Rootkit and MBR protection.
2) Dynamic Threat Detection

The first is self explanatory. The second utilizes threat intelligence data from all of the worlds deployed Fortisandbox appliances and virtual machines to push out threat intelligence on Zero-Day and APT's. Essentially, when the Fortisandboxes get a hit and that data is sent to the threat intelligence systems and verified it then pushes those traits out to Forticlient. The premise behind this is it has a significant chance to spot previously unknown and/or yet to be discovered advanced attacks and malware.
 
  • Like
Reactions: Cats-4_Owners-2, vtqhtr413, Azure and 4 others
F

ForgottenSeer 58943

I would like to note - in May I uninstalled CCleaner and on systems I had CCleaner cloud on I removed it and cancelled the subscription. This was largely based on the fact that FortiSandbox and APT detections started flagging on Ccleaner. Anytime I get a hit on Fortisandbox I perk up, big time. This started back in May, so I have had a nagging suspicion Ccleaner were compromised before the July/Aug time-frame they've publicly acknowledged.

If my information isn't enough, others noticed Fortinet APT technologies starting to flag on CCleaner with version 5.29..
CCleaner detected as virus by FortiClient - CCleaner Discussion - Piriform Community Forums

Sept. 18th Fortinet released an official signature update for the CCleaner trojan.
W32/CCleaner.A!tr | Virus
 
  • Like
Reactions: Cats-4_Owners-2, ZeroDay, vtqhtr413 and 3 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,140
ForgottenSeer 58943 said:
There are two additional technologies in the latest Forticlient.

1) Anti-Rootkit and MBR protection.
2) Dynamic Threat Detection

The first is self explanatory. The second utilizes threat intelligence data from all of the worlds deployed Fortisandbox appliances and virtual machines to push out threat intelligence on Zero-Day and APT's. Essentially, when the Fortisandboxes get a hit and that data is sent to the threat intelligence systems and verified it then pushes those traits out to Forticlient. The premise behind this is it has a significant chance to spot previously unknown and/or yet to be discovered advanced attacks and malware.
Click to expand...
Are these for the free or paid version? Thanks
 
  • Like
Reactions: Cats-4_Owners-2, Syafiq and Sunshine-boy
ifacedown

ifacedown

Level 19
Verified
Jan 31, 2014
903
ForgottenSeer 58943 said:
I would like to note - in May I uninstalled CCleaner and on systems I had CCleaner cloud on I removed it and cancelled the subscription. This was largely based on the fact that FortiSandbox and APT detections started flagging on Ccleaner. Anytime I get a hit on Fortisandbox I perk up, big time. This started back in May, so I have had a nagging suspicion Ccleaner were compromised before the July/Aug time-frame they've publicly acknowledged.

If my information isn't enough, others noticed Fortinet APT technologies starting to flag on CCleaner with version 5.29..
CCleaner detected as virus by FortiClient - CCleaner Discussion - Piriform Community Forums

Sept. 18th Fortinet released an official signature update for the CCleaner trojan.
W32/CCleaner.A!tr | Virus
Click to expand...
Quite impressed with Forticlient about detecting CCleaner's suspicious behavior.
 
  • Like
Reactions: GonzitoVir and Syafiq
A

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
FortiClient helps connect endpoints to FortiSandbox, which uses behaviour-based analysis to automatically analyze in real-time all files downloaded to FortiClient endpoints.
Click to expand...
FortiClient itself doesn't include behavioural detection.
In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.
Click to expand...
 
Last edited:
  • Like
Reactions: Cats-4_Owners-2 and vtqhtr413
D

Deleted member 65228

woodrowbone said:
Is this in the free version or do you have to be connected to their hardware?
Click to expand...
It'll probably connect to their cloud environment where the APT sandbox is present. The APT sandbox will basically execute the target under strict virtualisation and analyse behavior, format into detailed logs. The logs are interpreted to determine good from bad and vice-versa. It is basically Cuckoo on steroids x1000000 for stability, security, reliability/accuracy and efficiency.

I doubt they'd provide any of this for free. And its marketed for their endpoint protection, I don't think that will be free

If I am wrong then I am sure @ForgottenSeer 58943 will be able to correct me, he knows most about FortiClient than all of us here so he's the best person to ask
 
  • Like
Reactions: Cats-4_Owners-2, woodrowbone, Sunshine-boy and 3 others
F

ForgottenSeer 58943

Lots of questions...

1) You could use it just as a web filter (a very good one at that) by just installing the web filtration module during the installation and unchecking the other features. Howwever as someone else noted, you could also use FortiGuard DNS (for free) to do virtually the same thing.

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

2) It DOES include a BB now. In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.

3) Sandbox aspects are not free. These work in conjunction with their appliances. As Opcode noted, it's an extremely advanced sandbox appliance that works on your network and if necessary integrates into the Forticlient. Without a Fortigate edge device AND FortiSandbox, you won't be able to use these features. However, you will have the benefit of everything else, including the exploit blocker, etc.

4) Exploit, BB (dynamic threat detection) don't use signatures. However Forticlient includes signatures for their other aspects such as the antivirus. By default, extreme signatures and deep heuristics are ON for on-demand scans but OFF for real-time protection. They can be ticked on for realtime under the INI settings posted about earlier. I recommend they be enabled unless you have an old, slow dual-core machine or something.

The benefit of having Fortinet hardware is - endpoint management, sandboxing, localized update pushes, compliance scans and as part of the Security Fabric of Fortinet. Otherwise, the free client does everything else.

As you can see from my setup, I have the full security fabric deployed.

ITPorn.png
 
  • Like
Reactions: Deletedmessiah, Cats-4_Owners-2, Deleted member 65228 and 10 others
D

Deleted member 65228

Sunshine-boy said:
What is the difference between hybrid-analysis, Cuckoo and FortiSandbox sandbox?
Click to expand...
Cuckoo injects code into the monitored sample and then it abuses this leverage to patch the memory of various routines exported by modules like NTDLL. It does attempt to identify attacks on its hooks and alike and prevent it but it won't be perfect. It doesn't "isolate" the sample itself. The logs may also be a bit misleading sometimes (as is Hybrid-Analysis) - e.g. the Windows Loader queries a registry key, now it shows in logs and makes you think the sample itself did that via the authors code... Now you are there wondering if it was internally done by Windows itself or not, because the logs for Cuckoo doesn't provide the call stack AFAIK (neither does Hybrid-Analysis in the same sense AFAIK).

FortiClient APT sandbox will isolate the sample under a virtualised environment (99% certain via hyper-visor utilisation) and 99% chance it will use kernel-mode for logging capabilities a lot. The logs will be extremely thorough and detailed, nicely formatted I'd predict.

Take it with a grain of salt, its speculation. But yes that is what Cuckoo does, and the FortiClient bit is speculation of my estimation. Considering its end point and used by real end points, it won't be at the level Cuckoo is. It is bound to be superior to Cuckoo
 
  • Like
Reactions: Deletedmessiah, Cats-4_Owners-2, silversurfer and 3 others
Danielx64

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
ForgottenSeer 58943 said:
Lots of questions...

1) You could use it just as a web filter (a very good one at that) by just installing the web filtration module during the installation and unchecking the other features. Howwever as someone else noted, you could also use FortiGuard DNS (for free) to do virtually the same thing.

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

2) It DOES include a BB now. In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.

3) Sandbox aspects are not free. These work in conjunction with their appliances. As Opcode noted, it's an extremely advanced sandbox appliance that works on your network and if necessary integrates into the Forticlient. Without a Fortigate edge device AND FortiSandbox, you won't be able to use these features. However, you will have the benefit of everything else, including the exploit blocker, etc.

4) Exploit, BB (dynamic threat detection) don't use signatures. However Forticlient includes signatures for their other aspects such as the antivirus. By default, extreme signatures and deep heuristics are ON for on-demand scans but OFF for real-time protection. They can be ticked on for realtime under the INI settings posted about earlier. I recommend they be enabled unless you have an old, slow dual-core machine or something.

The benefit of having Fortinet hardware is - endpoint management, sandboxing, localized update pushes, compliance scans and as part of the Security Fabric of Fortinet. Otherwise, the free client does everything else.

As you can see from my setup, I have the full security fabric deployed.

ITPorn.png
Click to expand...


Thank you for the details, how much does the Fortinet hardware cost per year to run?
 
  • Like
Reactions: Deletedmessiah and Sunshine-boy
Status
Not open for further replies.

Similar threads

Trident
    • Like
    • Applause
Serious Discussion FinalAV - British Startup Offering Containment for Unsigned Processes
Replies
4
Views
713
Other security for Windows, Mac, Linux
lain
lain
Jonny Quest
    • Like
  • Question
Question How are websites analyzed for reputation?
Replies
5
Views
385
Web Extensions
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • Like
    • +Reputation
New Update Windows 10 KB5045594 update fixes multi-function printer bugs
Replies
0
Views
182
Windows 10
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top