Fortinet black logo

Administration Guide

Home FortiNDR 7.1.0 Administration Guide
7.1.0
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Express Malware Analysis

Express Malware Analysis

Use Express Malware Analysis to quickly upload a file to get the verdict. Express Malware Analysis is supported in both the GUI and the API. The default file size limit is 200MB. The file size limit can be changed using the CLI.

For information about using the API to submit files, see Appendix A - API guide > Submit files.

To change the file size limit with the CLI:

execute file-size-threshold

To submit a file for Express Malware Analysis:
  1. Go to Virtual Security Analyst > Express Malware Analysis. The Submit New File window opens.

  2. In the Password field, enter the password for the file. If the file does not require a password, FortiNDR will use Infected by default. The Password field is displayed whether the file requires a password or not.
  3. Click Upload and then click OK. The verdict is displayed.

  4. Click View Sample Detail to view the sample information. This page explains the verdict by showing the feature composition of the file.

    There are four tabs at the bottom of the page:

    Tab

    Description

    History

    Displays the history of the same malware (by hash) on the network.

    FortiNDR does not go back and rescan files based on the previous verdict. If you want to rescan a file based on the latest ANN, use manual or API upload instead.

    Similar files

    FortiNDR has a similar engine analysis based on the features detected. This is useful for detecting similar variants of the original malware.

    MITRE information (and Investigator view)

    For Portable Executable (PE ) files, FortiNDR can display a drill down of the MITRE ATT&CK matrix that shows the TTPs used for a particular malware.

    IOC (Indicators of Compromise)

    For text-based malware, FortiNDR can display more contextual information of malware, such as file contain abnormal javascipt, and so on. This helps you understand why FortiNDR determines it is malware.

    When a zip file is uploaded, double-click the entry to view the contents and verdict of the files.

  5. (Optional) Click Generate Report to view the report summary in PDF and JSON format.

Configuring the table

You can show or hide columns by clicking the gear icon in the header.

Click Configure Table to select the columns you want to show or hide.

Previous
Next

Express Malware Analysis

Use Express Malware Analysis to quickly upload a file to get the verdict. Express Malware Analysis is supported in both the GUI and the API. The default file size limit is 200MB. The file size limit can be changed using the CLI.

For information about using the API to submit files, see Appendix A - API guide > Submit files.

To change the file size limit with the CLI:

execute file-size-threshold

To submit a file for Express Malware Analysis:
  1. Go to Virtual Security Analyst > Express Malware Analysis. The Submit New File window opens.

  2. In the Password field, enter the password for the file. If the file does not require a password, FortiNDR will use Infected by default. The Password field is displayed whether the file requires a password or not.
  3. Click Upload and then click OK. The verdict is displayed.

  4. Click View Sample Detail to view the sample information. This page explains the verdict by showing the feature composition of the file.

    There are four tabs at the bottom of the page:

    Tab

    Description

    History

    Displays the history of the same malware (by hash) on the network.

    FortiNDR does not go back and rescan files based on the previous verdict. If you want to rescan a file based on the latest ANN, use manual or API upload instead.

    Similar files

    FortiNDR has a similar engine analysis based on the features detected. This is useful for detecting similar variants of the original malware.

    MITRE information (and Investigator view)

    For Portable Executable (PE ) files, FortiNDR can display a drill down of the MITRE ATT&CK matrix that shows the TTPs used for a particular malware.

    IOC (Indicators of Compromise)

    For text-based malware, FortiNDR can display more contextual information of malware, such as file contain abnormal javascipt, and so on. This helps you understand why FortiNDR determines it is malware.

    When a zip file is uploaded, double-click the entry to view the contents and verdict of the files.

  5. (Optional) Click Generate Report to view the report summary in PDF and JSON format.

Configuring the table

You can show or hide columns by clicking the gear icon in the header.

Click Configure Table to select the columns you want to show or hide.

Previous
Next