Does FortiClient Av contain a BB?

Discussion in 'Other Security for Windows' started by SearchLight, Aug 17, 2017.

  1. SearchLight

    SearchLight Level 3

    Jul 3, 2017
    134
    221
    New Jersey
    Windows 10
    Malwarebytes
    Trying out FC, and so far it passed the Security Check on the AMTSO website.
    That being said, does FC contain or use a BB like the other AV's mentioned on this website?
     
  2. kev216

    kev216 Level 18
    Content Creator Trusted

    Aug 6, 2014
    896
    12,005
    Belgium
    Windows 10
    Sophos
    No it does not. It only has signatures, web protection, heuristics, exploit protection and an application firewall. No Behaviour blocker.
     
  3. Felipe Oliveira

    Felipe Oliveira Level 11

    Jan 17, 2014
    521
    3,146
    Medicine student
    Rio de Janeiro, Brazil
    Windows 10
    Comodo
    I installed Forticlient yesterday, to use with my CF just to see this new version and I came across this new option, which translated into English means:

    "Dynamic Threat Detection Using Threat Intelligence Data"

    Has anyone tested and could tell how efficient this dynamic detection is?
    [​IMG]
     
  4. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,083
    4,345
    Fortinet Engineer
    USA
    Other OS
    There are two additional technologies in the latest Forticlient.

    1) Anti-Rootkit and MBR protection.
    2) Dynamic Threat Detection

    The first is self explanatory. The second utilizes threat intelligence data from all of the worlds deployed Fortisandbox appliances and virtual machines to push out threat intelligence on Zero-Day and APT's. Essentially, when the Fortisandboxes get a hit and that data is sent to the threat intelligence systems and verified it then pushes those traits out to Forticlient. The premise behind this is it has a significant chance to spot previously unknown and/or yet to be discovered advanced attacks and malware.
     
  5. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,083
    4,345
    Fortinet Engineer
    USA
    Other OS
    I would like to note - in May I uninstalled CCleaner and on systems I had CCleaner cloud on I removed it and cancelled the subscription. This was largely based on the fact that FortiSandbox and APT detections started flagging on Ccleaner. Anytime I get a hit on Fortisandbox I perk up, big time. This started back in May, so I have had a nagging suspicion Ccleaner were compromised before the July/Aug time-frame they've publicly acknowledged.

    If my information isn't enough, others noticed Fortinet APT technologies starting to flag on CCleaner with version 5.29..
    CCleaner detected as virus by FortiClient - CCleaner Discussion - Piriform Community Forums

    Sept. 18th Fortinet released an official signature update for the CCleaner trojan.
    W32/CCleaner.A!tr | Virus
     
  6. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,294
    5,745
    Far East
    Are these for the free or paid version? Thanks
     
  7. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,083
    4,345
    Fortinet Engineer
    USA
    Other OS
    Free, they are checkboxes in the free one.
     
  8. ifacedown

    ifacedown Level 17

    Jan 31, 2014
    826
    833
    Windows 10
    Microsoft
    Quite impressed with Forticlient about detecting CCleaner's suspicious behavior.
     
    GonzitoVir and Syafiq like this.
  9. DeepWeb

    DeepWeb Level 9

    Jul 1, 2017
    436
    1,412
    Nurse
    On a journey
    Windows 10
    Emsisoft
    Some people may even argue that FortiClient doesn't contain an AV. :ROFLMAO:
     
  10. Kubla

    Kubla Level 2

    Jan 22, 2017
    96
    249
    United States
    According to their site https://forticlient.com it does contains "Signature less solution" but you would probably want to use it over the top of your favorite signature-based AV as a multi layer security setup.
     
    Cats-4_Owners-2 likes this.
  11. Azure Phoenix

    Azure Phoenix Level 19

    Oct 23, 2014
    920
    2,458
    Puerto Rico
    @Slyguy

    Can Forticlient be use as a standalone web-filter together with other 3rd party Anvirus/Antimalware solutions?
     
    Cats-4_Owners-2 likes this.
  12. d0ts

    d0ts Level 1

    Nov 9, 2017
    21
    61
    Viet Nam
    Windows 10
    Emsisoft
    Cats-4_Owners-2 likes this.
  13. woodrowbone

    woodrowbone Level 8

    Dec 24, 2011
    356
    559
    Hmm, on their homepage it reads almost at the top:

    "Automated Behaviour Based Protection against Unknown Threats"

    Is this in the free version or do you have to be connected to their hardware?

    /W
     
  14. Arequire

    Arequire Level 18

    Feb 10, 2017
    898
    2,803
    United Kingdom
    Windows 7
    Default-Deny
    #14 Arequire, Dec 16, 2017
    Last edited: Dec 16, 2017
    FortiClient itself doesn't include behavioural detection.
     
    Cats-4_Owners-2 and BryanB like this.
  15. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,284
    Caille
    Windows 10
    It'll probably connect to their cloud environment where the APT sandbox is present. The APT sandbox will basically execute the target under strict virtualisation and analyse behavior, format into detailed logs. The logs are interpreted to determine good from bad and vice-versa. It is basically Cuckoo on steroids x1000000 for stability, security, reliability/accuracy and efficiency.

    I doubt they'd provide any of this for free. And its marketed for their endpoint protection, I don't think that will be free

    If I am wrong then I am sure @Slyguy will be able to correct me, he knows most about FortiClient than all of us here so he's the best person to ask
     
  16. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,083
    4,345
    Fortinet Engineer
    USA
    Other OS
    Lots of questions...

    1) You could use it just as a web filter (a very good one at that) by just installing the web filtration module during the installation and unchecking the other features. Howwever as someone else noted, you could also use FortiGuard DNS (for free) to do virtually the same thing.

    Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
    208.91.112.53
    208.91.112.52

    2) It DOES include a BB now. In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.

    3) Sandbox aspects are not free. These work in conjunction with their appliances. As Opcode noted, it's an extremely advanced sandbox appliance that works on your network and if necessary integrates into the Forticlient. Without a Fortigate edge device AND FortiSandbox, you won't be able to use these features. However, you will have the benefit of everything else, including the exploit blocker, etc.

    4) Exploit, BB (dynamic threat detection) don't use signatures. However Forticlient includes signatures for their other aspects such as the antivirus. By default, extreme signatures and deep heuristics are ON for on-demand scans but OFF for real-time protection. They can be ticked on for realtime under the INI settings posted about earlier. I recommend they be enabled unless you have an old, slow dual-core machine or something.

    The benefit of having Fortinet hardware is - endpoint management, sandboxing, localized update pushes, compliance scans and as part of the Security Fabric of Fortinet. Otherwise, the free client does everything else.

    As you can see from my setup, I have the full security fabric deployed.

    [​IMG]
     
  17. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,166
    5,162
    IRAN
    Windows 10
    ESET
    What is the difference between hybrid-analysis, Cuckoo and FortiSandbox?
     
    Cats-4_Owners-2 and Trickster like this.
  18. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,284
    Caille
    Windows 10
    Cuckoo injects code into the monitored sample and then it abuses this leverage to patch the memory of various routines exported by modules like NTDLL. It does attempt to identify attacks on its hooks and alike and prevent it but it won't be perfect. It doesn't "isolate" the sample itself. The logs may also be a bit misleading sometimes (as is Hybrid-Analysis) - e.g. the Windows Loader queries a registry key, now it shows in logs and makes you think the sample itself did that via the authors code... Now you are there wondering if it was internally done by Windows itself or not, because the logs for Cuckoo doesn't provide the call stack AFAIK (neither does Hybrid-Analysis in the same sense AFAIK).

    FortiClient APT sandbox will isolate the sample under a virtualised environment (99% certain via hyper-visor utilisation) and 99% chance it will use kernel-mode for logging capabilities a lot. The logs will be extremely thorough and detailed, nicely formatted I'd predict.

    Take it with a grain of salt, its speculation. But yes that is what Cuckoo does, and the FortiClient bit is speculation of my estimation. Considering its end point and used by real end points, it won't be at the level Cuckoo is. It is bound to be superior to Cuckoo
     
  19. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,166
    5,162
    IRAN
    Windows 10
    ESET
    Thanks!so Forti sandbox>all kind of malware analysis tools. am I right?:D
     
    Deletedmessiah and BryanB like this.
  20. Danielx64

    Danielx64 Level 8

    Mar 24, 2017
    396
    1,689
    Australia
    Windows 10
    ESET

    Thank you for the details, how much does the Fortinet hardware cost per year to run?
     
    Deletedmessiah and Sunshine-boy like this.
Loading...
Similar Threads Forum Date
What does this mean ? What should I click please? HitmanPro (Sophos) Dec 18, 2017
Kaspersky 2018 does not update automatically Kaspersky Dec 14, 2017
Need Help Does A VPN drain a mobile battery quickly if "always on" ? Apps - Questions & Help Dec 11, 2017