Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 3.0.6 Administration Guide
    3.0.6
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    YARA Rules

    YARA Rules

    YARA is a pattern matching engine for malware detection. The YARA Rules page allows you to upload your own YARA rules. The rules must be compatible with the 3.x schema and put inside ASCII text files.

    The following options are available:

    Import

    Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

    Edit

    Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

    Delete

    Select to delete a YARA rule file.

    Change Status

    Select to change the status (Active or Inactive) of a YARA rule.

    Export

    Select to export a YARA rule file.

    The following information is displayed:

    Name

    The name of the YARA rule set.

    File Type

    The file types the YARA rule is applied to.

    Modify Time

    The date and time the YARA rule set was last modified.

    Size

    The size of the YARA rule file.

    Sha256

    The Sha256 checksum of the YARA rule file.

    Status

    The current status (Active or Inactive) of the YARA rule set.
    To upload YARA Rule File:
    1. Go to Scan Policy > YARA Rules.
    2. Select Import.
    3. Configure the following settings:

      YARA Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    4. Select OK to import rules.
    5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

    If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.
    To edit a YARA Rule set:
    1. Go to Scan Policy > YARA Rules.
    2. Select a YARA Rule.
    3. Click the Edit button from the toolbar.
    4. Configure the following options:

      ID

      YARA ID number. You cannot edit this field.

      Yara Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    5. Click OK to apply changes.
    To delete a YARA rule set:
    1. Go to Scan Policy > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Delete from the toolbar.
    4. Click Yes I'm sure button from the Are you sure? confirmation box.
    To change the status of a YARA rule set:
    1. Go to Scan Policy > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Change Status.

      The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.

    Previous
    Next

    YARA Rules

    YARA Rules

    YARA is a pattern matching engine for malware detection. The YARA Rules page allows you to upload your own YARA rules. The rules must be compatible with the 3.x schema and put inside ASCII text files.

    The following options are available:

    Import

    Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

    Edit

    Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

    Delete

    Select to delete a YARA rule file.

    Change Status

    Select to change the status (Active or Inactive) of a YARA rule.

    Export

    Select to export a YARA rule file.

    The following information is displayed:

    Name

    The name of the YARA rule set.

    File Type

    The file types the YARA rule is applied to.

    Modify Time

    The date and time the YARA rule set was last modified.

    Size

    The size of the YARA rule file.

    Sha256

    The Sha256 checksum of the YARA rule file.

    Status

    The current status (Active or Inactive) of the YARA rule set.
    To upload YARA Rule File:
    1. Go to Scan Policy > YARA Rules.
    2. Select Import.
    3. Configure the following settings:

      YARA Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    4. Select OK to import rules.
    5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

    If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.
    To edit a YARA Rule set:
    1. Go to Scan Policy > YARA Rules.
    2. Select a YARA Rule.
    3. Click the Edit button from the toolbar.
    4. Configure the following options:

      ID

      YARA ID number. You cannot edit this field.

      Yara Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    5. Click OK to apply changes.
    To delete a YARA rule set:
    1. Go to Scan Policy > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Delete from the toolbar.
    4. Click Yes I'm sure button from the Are you sure? confirmation box.
    To change the status of a YARA rule set:
    1. Go to Scan Policy > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Change Status.

      The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.

    Previous
    Next