Felipe Oliveira

Level 12
MH Trial
Verified
Joined
Jan 17, 2014
Messages
561
Operating System
Windows 10
Antivirus
Comodo
#3
I installed Forticlient yesterday, to use with my CF just to see this new version and I came across this new option, which translated into English means:

"Dynamic Threat Detection Using Threat Intelligence Data"

Has anyone tested and could tell how efficient this dynamic detection is?
 

Slyguy

Level 39
Content Creator
Verified
Joined
Jan 27, 2017
Messages
2,836
Operating System
Other OS
#4
I installed Forticlient yesterday, to use with my CF just to see this new version and I came across this new option, which translated into English means:

"Dynamic Threat Detection Using Threat Intelligence Data"

Has anyone tested and could tell how efficient this dynamic detection is?
There are two additional technologies in the latest Forticlient.

1) Anti-Rootkit and MBR protection.
2) Dynamic Threat Detection

The first is self explanatory. The second utilizes threat intelligence data from all of the worlds deployed Fortisandbox appliances and virtual machines to push out threat intelligence on Zero-Day and APT's. Essentially, when the Fortisandboxes get a hit and that data is sent to the threat intelligence systems and verified it then pushes those traits out to Forticlient. The premise behind this is it has a significant chance to spot previously unknown and/or yet to be discovered advanced attacks and malware.
 

Slyguy

Level 39
Content Creator
Verified
Joined
Jan 27, 2017
Messages
2,836
Operating System
Other OS
#5
I would like to note - in May I uninstalled CCleaner and on systems I had CCleaner cloud on I removed it and cancelled the subscription. This was largely based on the fact that FortiSandbox and APT detections started flagging on Ccleaner. Anytime I get a hit on Fortisandbox I perk up, big time. This started back in May, so I have had a nagging suspicion Ccleaner were compromised before the July/Aug time-frame they've publicly acknowledged.

If my information isn't enough, others noticed Fortinet APT technologies starting to flag on CCleaner with version 5.29..
CCleaner detected as virus by FortiClient - CCleaner Discussion - Piriform Community Forums

Sept. 18th Fortinet released an official signature update for the CCleaner trojan.
W32/CCleaner.A!tr | Virus
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,214
#6
There are two additional technologies in the latest Forticlient.

1) Anti-Rootkit and MBR protection.
2) Dynamic Threat Detection

The first is self explanatory. The second utilizes threat intelligence data from all of the worlds deployed Fortisandbox appliances and virtual machines to push out threat intelligence on Zero-Day and APT's. Essentially, when the Fortisandboxes get a hit and that data is sent to the threat intelligence systems and verified it then pushes those traits out to Forticlient. The premise behind this is it has a significant chance to spot previously unknown and/or yet to be discovered advanced attacks and malware.
Are these for the free or paid version? Thanks
 

ifacedown

Level 18
Verified
Joined
Jan 31, 2014
Messages
851
Operating System
Windows 10
Antivirus
Windows Defender
#8
I would like to note - in May I uninstalled CCleaner and on systems I had CCleaner cloud on I removed it and cancelled the subscription. This was largely based on the fact that FortiSandbox and APT detections started flagging on Ccleaner. Anytime I get a hit on Fortisandbox I perk up, big time. This started back in May, so I have had a nagging suspicion Ccleaner were compromised before the July/Aug time-frame they've publicly acknowledged.

If my information isn't enough, others noticed Fortinet APT technologies starting to flag on CCleaner with version 5.29..
CCleaner detected as virus by FortiClient - CCleaner Discussion - Piriform Community Forums

Sept. 18th Fortinet released an official signature update for the CCleaner trojan.
W32/CCleaner.A!tr | Virus
Quite impressed with Forticlient about detecting CCleaner's suspicious behavior.
 

Arequire

Level 21
Content Creator
Verified
Joined
Feb 10, 2017
Messages
1,090
Operating System
Windows 10
Antivirus
#14
FortiClient helps connect endpoints to FortiSandbox, which uses behaviour-based analysis to automatically analyze in real-time all files downloaded to FortiClient endpoints.
FortiClient itself doesn't include behavioural detection.
In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.
 
Last edited:
D

Deleted member 65228

Guest
#15
Is this in the free version or do you have to be connected to their hardware?
It'll probably connect to their cloud environment where the APT sandbox is present. The APT sandbox will basically execute the target under strict virtualisation and analyse behavior, format into detailed logs. The logs are interpreted to determine good from bad and vice-versa. It is basically Cuckoo on steroids x1000000 for stability, security, reliability/accuracy and efficiency.

I doubt they'd provide any of this for free. And its marketed for their endpoint protection, I don't think that will be free

If I am wrong then I am sure @Slyguy will be able to correct me, he knows most about FortiClient than all of us here so he's the best person to ask
 

Slyguy

Level 39
Content Creator
Verified
Joined
Jan 27, 2017
Messages
2,836
Operating System
Other OS
#16
Lots of questions...

1) You could use it just as a web filter (a very good one at that) by just installing the web filtration module during the installation and unchecking the other features. Howwever as someone else noted, you could also use FortiGuard DNS (for free) to do virtually the same thing.

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

2) It DOES include a BB now. In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.

3) Sandbox aspects are not free. These work in conjunction with their appliances. As Opcode noted, it's an extremely advanced sandbox appliance that works on your network and if necessary integrates into the Forticlient. Without a Fortigate edge device AND FortiSandbox, you won't be able to use these features. However, you will have the benefit of everything else, including the exploit blocker, etc.

4) Exploit, BB (dynamic threat detection) don't use signatures. However Forticlient includes signatures for their other aspects such as the antivirus. By default, extreme signatures and deep heuristics are ON for on-demand scans but OFF for real-time protection. They can be ticked on for realtime under the INI settings posted about earlier. I recommend they be enabled unless you have an old, slow dual-core machine or something.

The benefit of having Fortinet hardware is - endpoint management, sandboxing, localized update pushes, compliance scans and as part of the Security Fabric of Fortinet. Otherwise, the free client does everything else.

As you can see from my setup, I have the full security fabric deployed.

 
D

Deleted member 65228

Guest
#18
What is the difference between hybrid-analysis, Cuckoo and FortiSandbox sandbox?
Cuckoo injects code into the monitored sample and then it abuses this leverage to patch the memory of various routines exported by modules like NTDLL. It does attempt to identify attacks on its hooks and alike and prevent it but it won't be perfect. It doesn't "isolate" the sample itself. The logs may also be a bit misleading sometimes (as is Hybrid-Analysis) - e.g. the Windows Loader queries a registry key, now it shows in logs and makes you think the sample itself did that via the authors code... Now you are there wondering if it was internally done by Windows itself or not, because the logs for Cuckoo doesn't provide the call stack AFAIK (neither does Hybrid-Analysis in the same sense AFAIK).

FortiClient APT sandbox will isolate the sample under a virtualised environment (99% certain via hyper-visor utilisation) and 99% chance it will use kernel-mode for logging capabilities a lot. The logs will be extremely thorough and detailed, nicely formatted I'd predict.

Take it with a grain of salt, its speculation. But yes that is what Cuckoo does, and the FortiClient bit is speculation of my estimation. Considering its end point and used by real end points, it won't be at the level Cuckoo is. It is bound to be superior to Cuckoo
 

Danielx64

Level 10
Verified
Joined
Mar 24, 2017
Messages
485
Operating System
Windows 10
Antivirus
ESET
#20
Lots of questions...

1) You could use it just as a web filter (a very good one at that) by just installing the web filtration module during the installation and unchecking the other features. Howwever as someone else noted, you could also use FortiGuard DNS (for free) to do virtually the same thing.

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

2) It DOES include a BB now. In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.

3) Sandbox aspects are not free. These work in conjunction with their appliances. As Opcode noted, it's an extremely advanced sandbox appliance that works on your network and if necessary integrates into the Forticlient. Without a Fortigate edge device AND FortiSandbox, you won't be able to use these features. However, you will have the benefit of everything else, including the exploit blocker, etc.

4) Exploit, BB (dynamic threat detection) don't use signatures. However Forticlient includes signatures for their other aspects such as the antivirus. By default, extreme signatures and deep heuristics are ON for on-demand scans but OFF for real-time protection. They can be ticked on for realtime under the INI settings posted about earlier. I recommend they be enabled unless you have an old, slow dual-core machine or something.

The benefit of having Fortinet hardware is - endpoint management, sandboxing, localized update pushes, compliance scans and as part of the Security Fabric of Fortinet. Otherwise, the free client does everything else.

As you can see from my setup, I have the full security fabric deployed.


Thank you for the details, how much does the Fortinet hardware cost per year to run?