Fortinet black logo

Administration Guide

Home FortiNDR 7.4.3 Administration Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Static Filter

Static Filter

Use the Static Filter to manage an Allow hash list and a Block hash list. This is useful when dealing with outbreaks. For example, inserting an outbreak malware hash for FortiNDR to identify as malicious. An example of the opposite use case is if there are certain files administrators determine are clean, hashes in the Allow list are not processed by ANN and AV, and FortiNDR marks them as clean.

In Center mode, Static Filter is associated with specific sensors. These filters allow you to create and modify an Allow or Deny list for targeted sensors.

The Static Filter contains two lists of file hashes, allowing input of MD5, SHA1, and SHA256 hashes that can alter the verdict of incoming samples.

  • Files with hashes in the Allow List are marked as Clean.
  • Files with hashes in the Deny List are marked as Malicious and tagged with a Detection Name of StaticFilter.AI.D.

The effect of the static filter is prospective. It will only apply to samples received after the filter is added. Adding a duplicate hash entry updates the filter’s timestamp to the current date.

For clashes, such as the same entry in both the Allow List and Deny List, FortiNDR flags the entry with Ambiguous type filter so that you remove the conflicting entry.

Tooltip

You can add a detection to the Allow List from the Malware Log. For information, see Malware Log .
Previous
Next

Static Filter

Use the Static Filter to manage an Allow hash list and a Block hash list. This is useful when dealing with outbreaks. For example, inserting an outbreak malware hash for FortiNDR to identify as malicious. An example of the opposite use case is if there are certain files administrators determine are clean, hashes in the Allow list are not processed by ANN and AV, and FortiNDR marks them as clean.

In Center mode, Static Filter is associated with specific sensors. These filters allow you to create and modify an Allow or Deny list for targeted sensors.

The Static Filter contains two lists of file hashes, allowing input of MD5, SHA1, and SHA256 hashes that can alter the verdict of incoming samples.

  • Files with hashes in the Allow List are marked as Clean.
  • Files with hashes in the Deny List are marked as Malicious and tagged with a Detection Name of StaticFilter.AI.D.

The effect of the static filter is prospective. It will only apply to samples received after the filter is added. Adding a duplicate hash entry updates the filter’s timestamp to the current date.

For clashes, such as the same entry in both the Allow List and Deny List, FortiNDR flags the entry with Ambiguous type filter so that you remove the conflicting entry.

Tooltip

You can add a detection to the Allow List from the Malware Log. For information, see Malware Log .
Previous
Next