Does FortiClient Av contain a BB?

Status
Not open for further replies.

Fel Grossi

Level 13
Verified
Top Poster
Well-known
Jan 17, 2014
619
I installed Forticlient yesterday, to use with my CF just to see this new version and I came across this new option, which translated into English means:

"Dynamic Threat Detection Using Threat Intelligence Data"

Has anyone tested and could tell how efficient this dynamic detection is?
5yxgrp.jpg
 
F

ForgottenSeer 58943

I installed Forticlient yesterday, to use with my CF just to see this new version and I came across this new option, which translated into English means:

"Dynamic Threat Detection Using Threat Intelligence Data"

Has anyone tested and could tell how efficient this dynamic detection is?
5yxgrp.jpg

There are two additional technologies in the latest Forticlient.

1) Anti-Rootkit and MBR protection.
2) Dynamic Threat Detection

The first is self explanatory. The second utilizes threat intelligence data from all of the worlds deployed Fortisandbox appliances and virtual machines to push out threat intelligence on Zero-Day and APT's. Essentially, when the Fortisandboxes get a hit and that data is sent to the threat intelligence systems and verified it then pushes those traits out to Forticlient. The premise behind this is it has a significant chance to spot previously unknown and/or yet to be discovered advanced attacks and malware.
 
F

ForgottenSeer 58943

I would like to note - in May I uninstalled CCleaner and on systems I had CCleaner cloud on I removed it and cancelled the subscription. This was largely based on the fact that FortiSandbox and APT detections started flagging on Ccleaner. Anytime I get a hit on Fortisandbox I perk up, big time. This started back in May, so I have had a nagging suspicion Ccleaner were compromised before the July/Aug time-frame they've publicly acknowledged.

If my information isn't enough, others noticed Fortinet APT technologies starting to flag on CCleaner with version 5.29..
CCleaner detected as virus by FortiClient - CCleaner Discussion - Piriform Community Forums

Sept. 18th Fortinet released an official signature update for the CCleaner trojan.
W32/CCleaner.A!tr | Virus
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
There are two additional technologies in the latest Forticlient.

1) Anti-Rootkit and MBR protection.
2) Dynamic Threat Detection

The first is self explanatory. The second utilizes threat intelligence data from all of the worlds deployed Fortisandbox appliances and virtual machines to push out threat intelligence on Zero-Day and APT's. Essentially, when the Fortisandboxes get a hit and that data is sent to the threat intelligence systems and verified it then pushes those traits out to Forticlient. The premise behind this is it has a significant chance to spot previously unknown and/or yet to be discovered advanced attacks and malware.
Are these for the free or paid version? Thanks
 

ifacedown

Level 18
Verified
Jan 31, 2014
888
I would like to note - in May I uninstalled CCleaner and on systems I had CCleaner cloud on I removed it and cancelled the subscription. This was largely based on the fact that FortiSandbox and APT detections started flagging on Ccleaner. Anytime I get a hit on Fortisandbox I perk up, big time. This started back in May, so I have had a nagging suspicion Ccleaner were compromised before the July/Aug time-frame they've publicly acknowledged.

If my information isn't enough, others noticed Fortinet APT technologies starting to flag on CCleaner with version 5.29..
CCleaner detected as virus by FortiClient - CCleaner Discussion - Piriform Community Forums

Sept. 18th Fortinet released an official signature update for the CCleaner trojan.
W32/CCleaner.A!tr | Virus
Quite impressed with Forticlient about detecting CCleaner's suspicious behavior.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
FortiClient helps connect endpoints to FortiSandbox, which uses behaviour-based analysis to automatically analyze in real-time all files downloaded to FortiClient endpoints.
FortiClient itself doesn't include behavioural detection.
In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.
 
Last edited:
D

Deleted member 65228

Is this in the free version or do you have to be connected to their hardware?
It'll probably connect to their cloud environment where the APT sandbox is present. The APT sandbox will basically execute the target under strict virtualisation and analyse behavior, format into detailed logs. The logs are interpreted to determine good from bad and vice-versa. It is basically Cuckoo on steroids x1000000 for stability, security, reliability/accuracy and efficiency.

I doubt they'd provide any of this for free. And its marketed for their endpoint protection, I don't think that will be free

If I am wrong then I am sure @ForgottenSeer 58943 will be able to correct me, he knows most about FortiClient than all of us here so he's the best person to ask
 
F

ForgottenSeer 58943

Lots of questions...

1) You could use it just as a web filter (a very good one at that) by just installing the web filtration module during the installation and unchecking the other features. Howwever as someone else noted, you could also use FortiGuard DNS (for free) to do virtually the same thing.

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

2) It DOES include a BB now. In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.

3) Sandbox aspects are not free. These work in conjunction with their appliances. As Opcode noted, it's an extremely advanced sandbox appliance that works on your network and if necessary integrates into the Forticlient. Without a Fortigate edge device AND FortiSandbox, you won't be able to use these features. However, you will have the benefit of everything else, including the exploit blocker, etc.

4) Exploit, BB (dynamic threat detection) don't use signatures. However Forticlient includes signatures for their other aspects such as the antivirus. By default, extreme signatures and deep heuristics are ON for on-demand scans but OFF for real-time protection. They can be ticked on for realtime under the INI settings posted about earlier. I recommend they be enabled unless you have an old, slow dual-core machine or something.

The benefit of having Fortinet hardware is - endpoint management, sandboxing, localized update pushes, compliance scans and as part of the Security Fabric of Fortinet. Otherwise, the free client does everything else.

As you can see from my setup, I have the full security fabric deployed.

ITPorn.png
 
D

Deleted member 65228

What is the difference between hybrid-analysis, Cuckoo and FortiSandbox sandbox?
Cuckoo injects code into the monitored sample and then it abuses this leverage to patch the memory of various routines exported by modules like NTDLL. It does attempt to identify attacks on its hooks and alike and prevent it but it won't be perfect. It doesn't "isolate" the sample itself. The logs may also be a bit misleading sometimes (as is Hybrid-Analysis) - e.g. the Windows Loader queries a registry key, now it shows in logs and makes you think the sample itself did that via the authors code... Now you are there wondering if it was internally done by Windows itself or not, because the logs for Cuckoo doesn't provide the call stack AFAIK (neither does Hybrid-Analysis in the same sense AFAIK).

FortiClient APT sandbox will isolate the sample under a virtualised environment (99% certain via hyper-visor utilisation) and 99% chance it will use kernel-mode for logging capabilities a lot. The logs will be extremely thorough and detailed, nicely formatted I'd predict.

Take it with a grain of salt, its speculation. But yes that is what Cuckoo does, and the FortiClient bit is speculation of my estimation. Considering its end point and used by real end points, it won't be at the level Cuckoo is. It is bound to be superior to Cuckoo
 

Danielx64

Level 10
Verified
Well-known
Mar 24, 2017
481
Lots of questions...

1) You could use it just as a web filter (a very good one at that) by just installing the web filtration module during the installation and unchecking the other features. Howwever as someone else noted, you could also use FortiGuard DNS (for free) to do virtually the same thing.

Fortinet Secure DNS (malware/phishing/malvertising/botnet blocking)
208.91.112.53
208.91.112.52

2) It DOES include a BB now. In the GUI under settings you will find 'Dynamic Thread Detection using threat intelligence data'. That's basically the BB and you can turn it on in the free version in the GUI.

3) Sandbox aspects are not free. These work in conjunction with their appliances. As Opcode noted, it's an extremely advanced sandbox appliance that works on your network and if necessary integrates into the Forticlient. Without a Fortigate edge device AND FortiSandbox, you won't be able to use these features. However, you will have the benefit of everything else, including the exploit blocker, etc.

4) Exploit, BB (dynamic threat detection) don't use signatures. However Forticlient includes signatures for their other aspects such as the antivirus. By default, extreme signatures and deep heuristics are ON for on-demand scans but OFF for real-time protection. They can be ticked on for realtime under the INI settings posted about earlier. I recommend they be enabled unless you have an old, slow dual-core machine or something.

The benefit of having Fortinet hardware is - endpoint management, sandboxing, localized update pushes, compliance scans and as part of the Security Fabric of Fortinet. Otherwise, the free client does everything else.

As you can see from my setup, I have the full security fabric deployed.

ITPorn.png


Thank you for the details, how much does the Fortinet hardware cost per year to run?
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top