Fortinet black logo

Administration Guide

Home FortiNDR 7.0.1 Administration Guide
7.0.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Express Malware Analysis

Express Malware Analysis

Express Malware Analysis offers a fast solution to provide the verdict of the file. You can submit the files up to 200MB in default via GUI or via API (Use CLI: execute file-size-threshold to change file size limit). Submitted files enter a queue in the system for analysis. Use Virtual Security Analyst > Express Malware Analysis to check the status of your submitted files and the verdict.

Click View Sample Detail to view its sample information. This page explains the verdict by showing the feature composition of the file. You can also find a list of related files with a similar score at the bottom of the page. To generate a report summary in PDF and JSON format, click Generate Report at the top right.

The VSA report has tabs at the bottom.

Tab

Description

History

Display the history of the same malware (by hash) on the network.

FortiNDR does not go back and rescan files based on the previous verdict. If you want to rescan a file based on the latest ANN, use manual or API upload instead.

Similar files

FortiNDR has a similar engine based analysis based on features detected. This is good for detecting similar variants of the original malware.

MITRE information (and Investigator view)

For PE (portable executable) files, FortiNDR can optionally display a drill down the MITRE ATT&CK matrix displaying the TTPs used for a particular malware.

IOC (Indicators of Compromise)

For text-based malware, FortiNDR can optionally display more contextual information of malware, such as file contain abnormal javascipt, and so on. This helps users understand why FortiNDR determines it is malware.

When a zip file is uploaded, you can view the contents and verdict of the files in the zip file by double-clicking on the zip file entry.

Configuring the table

You can show or hide columns by clicking the gear icon in the header.

Click Configure Table to select the columns you want to show or hide.

Upload files using API

You can submit files for analysis using API with an API key. See Submit files.

Previous
Next

Express Malware Analysis

Express Malware Analysis offers a fast solution to provide the verdict of the file. You can submit the files up to 200MB in default via GUI or via API (Use CLI: execute file-size-threshold to change file size limit). Submitted files enter a queue in the system for analysis. Use Virtual Security Analyst > Express Malware Analysis to check the status of your submitted files and the verdict.

Click View Sample Detail to view its sample information. This page explains the verdict by showing the feature composition of the file. You can also find a list of related files with a similar score at the bottom of the page. To generate a report summary in PDF and JSON format, click Generate Report at the top right.

The VSA report has tabs at the bottom.

Tab

Description

History

Display the history of the same malware (by hash) on the network.

FortiNDR does not go back and rescan files based on the previous verdict. If you want to rescan a file based on the latest ANN, use manual or API upload instead.

Similar files

FortiNDR has a similar engine based analysis based on features detected. This is good for detecting similar variants of the original malware.

MITRE information (and Investigator view)

For PE (portable executable) files, FortiNDR can optionally display a drill down the MITRE ATT&CK matrix displaying the TTPs used for a particular malware.

IOC (Indicators of Compromise)

For text-based malware, FortiNDR can optionally display more contextual information of malware, such as file contain abnormal javascipt, and so on. This helps users understand why FortiNDR determines it is malware.

When a zip file is uploaded, you can view the contents and verdict of the files in the zip file by double-clicking on the zip file entry.

Configuring the table

You can show or hide columns by clicking the gear icon in the header.

Click Configure Table to select the columns you want to show or hide.

Upload files using API

You can submit files for analysis using API with an API key. See Submit files.

Previous
Next