Cloud-based threat detection
Outbreak protection service provides another layer of protection where FortiClient initiates a real-time cloud lookup of our Global Threat Intelligence database so it can detect and block emerging threats and continue to provide latest protection. FortiClient 6.2.2 adds support for cloud-based threat detection for macOS.
The following describes the process for cloud-based threat detection:
- A high-risk file, such as an email attachment, network shared resource, webpage, or removable media device is downloaded or executed on the endpoint.
- FortiClient generates an SHA1 checksum for the file.
- FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
- One of the following occurs:
- If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware in the form of a score. A score of 1 is deemed high-risk. By default, FortiClient quarantines the file and terminates any related process.
- If the checksum is not found in the library, FortiClient submits the file to the configured on-premise FortiSandbox for further analysis. The following shows a file where the checksum does not match any in FortiGuard, but is quarantined by FortiClient using the analysis score from FortiSandbox.
This service only submits high-risk file types. Cloud-based threat detection supports the same default supported file types as FortiSandbox, such as .exe, .doc, .pdf, and .dll.
To access this feature, the endpoint must have the AntiVirus feature installed. When configuring a deployment package for endpoints desired to use cloud-based threat detection, ensure that you enable AntiVirus and Cloud Based Malware Outbreak Detection. |
To configure cloud-based threat detection in the EMS GUI:
- In EMS, go to Endpoint Profiles. Select the desired profile.
- On the Malware Protection tab, enable Cloud Based Malware Detection.
To configure cloud-based threat detection by configuring the XML file:
You can configure more advanced options by editing the XML configuration file. You can configure the timeout value, exclusions/exceptions, remediation actions, and events. The following shows a sample XML configuration:
<cloudscan>
<enabled>1</enabled>
<exceptions>
<folders>
</folders>
<files>
</files>
<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>
<exclude_files_and_folders>0</exclude_files_and_folders>
</exceptions>
<response_timeout>5</response_timeout>
<when>
<executables_on_removable_media>1</executables_on_removable_media>
<executables_on_mapped_nw_drives>0</executables_on_mapped_nw_drives>
<web_downloads>1</web_downloads>
<email_downloads>1</email_downloads>
</when>
<remediation>
<action>quarantine</action>
<on_error>allow</on_error>
</remediation>
</cloudscan>