Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

meantime
New Contributor

Created on ‎09-16-2015 06:16 AM

Fortigate Antivirus Signature Supplement from Fortisandbox

Hopefully this is an appropriate forum to initiate this discussion on.

I have read documentation stating that FortiGate can retrieve scan results and details from FortiSandbox, and also receive antivirus and web filtering signatures to supplement the current signature database.

I have seen the scan results but am curious how the signature databsae is supplemented. Could anyone provide more detail on how that is handled and how I might be able to tell which updates to the signature database came from Fortisandbox?

Thank you,

John

Labels:
536
0 Kudos
1 Solution
jwhite_FTNT
Staff
Staff

Created on ‎09-16-2015 06:41 AM

John,

Today, the FSA will (if configured) share data with FortiGuard, to create updated AV package that will be consumed by every FGT device, but the FGT does not use the local generated FSA AV signatures or URL filters.

The supplemental DB signature will be used by FGT in FOS 5.4 release.  After that release, FGT will check the FSA for the local AV and URL package updates and use them for protection against the targeted APT types of attacks indentified by FSA.  This new approach greatly reduces that total response time before FGT can block malicious URL and malware files - response time for FGT to start blocking will be minutes instead of hours.

 

Jim White
207-251-2155

View solution in original post

527
0 Kudos
3 REPLIES 3
jwhite_FTNT
Staff
Staff

Created on ‎09-16-2015 06:41 AM

John,

Today, the FSA will (if configured) share data with FortiGuard, to create updated AV package that will be consumed by every FGT device, but the FGT does not use the local generated FSA AV signatures or URL filters.

The supplemental DB signature will be used by FGT in FOS 5.4 release.  After that release, FGT will check the FSA for the local AV and URL package updates and use them for protection against the targeted APT types of attacks indentified by FSA.  This new approach greatly reduces that total response time before FGT can block malicious URL and malware files - response time for FGT to start blocking will be minutes instead of hours.

 

Jim White
207-251-2155

528
0 Kudos
meantime
New Contributor
In response to jwhite_FTNT

Created on ‎09-16-2015 07:03 AM

Exactly what I was looking for. Thanks Jim.

527
0 Kudos
Tommy
New Contributor
In response to jwhite_FTNT

Created on ‎03-09-2016 08:36 AM

And what if you have a FortiSandbox subsciption in the cloud? Will you also get the supplemental DB updates or is this a FSA only feature? If not what is the ETA of an updated AV signature in Fortiguard?

What happens when a users downloads a file that after sandboxing in the cloud appears to be malicious. So this will show up in the logs of the Fortigate? Secondly when another users downloads the same file will this be blocked because the file was allready sandboxed and been found to be malicious? Is this done via an MD5 hash query to the cloud?

NSE4,NSE5,NSE6,NSE7
NSE4,NSE5,NSE6,NSE7
527
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.