Description

Scope

FortiEDR v5.2 and up - FortiEDR AV Signatures update architecture and flow from Cloud to Collector.

Solution

Fortinet provides regular AV signature updates and populates them to Fortinet products with enabled AV Signatures update. For FortiEDR, the following types of update files are available on the endpoint at %ProgramData%\FortiEDR\Config\Collector\Signatures.

Enabling AV Signatures Update:

It is possible to enable or disable AV signature updates for an environment, a specific organization, or a group of Collectors via dynamic content in FortiEDR.

AV Signatures Update Workflow:
When AV Signatures update is enabled, FortiEDR performs the following steps to update the AV Signatures update file:

1. The Collector reaches out to the Aggregator every five minutes on port 8081. This interval cannot be changed.
2. The Aggregator then reaches out to the Container infrastructure on port 8090.
3. The Containers Infrastructure checks the local configuration file1 (which includes mapping of each FortiEDR

Collector version and AV Signatures version) to see if an AV Signatures update is available for the Collector
version:

• If not, the Containers Infrastructure does nothing.
• If an AV Signatures update is available and has been downloaded to the local database, the Containers
  Infrastructure sends the update file back to the Collector through the Aggregator.
• If an AV Signatures update is available but has not been downloaded to the local database, the following
  happens:
• The Containers Infrastructure sends a request to the Central Manager on port 8091.
• The Central Manager then downloads the AV Signatures update file from the GCP bucket (via proxy if one
  is defined) and returns the file to the container infrastructure.
•  The Containers Infrastructure sends the update file back to the Collector through the Aggregator.

Configuration File Update Process:
The Containers infrastructure stores a configuration file that includes the mapping of each FortiEDR Collector version. The Containers infrastructure accesses the Central Manager on port 8091 once an hour to request checking of the configuration status, which is the mapping of each FortiEDR Collector and AV Signatures version.

This configuration file is updated regularly as follows:

1. Following such request, the Central Manager reaches out to FortiEDR Cloud Service (FCS) at
   fortiavcloud.ensilo.com:443 (via proxy if one is defined) to retrieve the URL to the latest configuration file
   from the GCP bucket.
2. The Central Manager then compares the new URL with the one last retrieved by the Containers infrastructure.
   Depending on the comparison result, the following happens:

• If the new URL is the same as or older than the one last retrieved by the Containers infrastructure, no change to
  the configuration file.
•  If the new URL is newer than the one last retrieved by the Containers infrastructure, the following happens:
• The Central Manager retrieves the latest configuration file (.json, dozens of KB) from the GCP bucket at
  storagegoogleapi.com:443 (via proxy if one is defined) and sends the file back to the Containers
  infrastructure.
• The Container infrastructure saves the configuration file and parses it.

Verify current AV signatures running on a Windows FortiEDR collector.

To verify AV signature versions currently running on a FortiEDR collector, run below command from a CMD prompt on the Windows PC:

C:\Program Files\Fortinet\FortiEDR>FortiEDRCollectorService.exe --estatus

Example below:

AV signature information will be found directly on the collectors. These details are not shown on FortiEDR Manager console, and must be checked on the collectors directly.