Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 4.2.6 Administration Guide
    4.2.6
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    YARA Rules

    YARA Rules

    YARA is a pattern matching engine for malware detection. It can be applied for files as well as downloaders. The YARA Rules page allows you to upload your own YARA rules. The rules must be compatible with the 3.x schema and put inside ASCII text files.

    For more information about writing YARA rules, see the product documentation.

    FortiSandbox supports following Yara modules:

    Cuckoo, Magic, Dotnet, PE, ELF, Hash, Math and Time. For information about YARA modules, see the production documentation.

    The following options are available:

    Import

    Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

    Edit

    Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

    Delete

    Select to delete a YARA rule file.

    Change Status

    Select to change the status (Active or Inactive) of a YARA rule.

    Export

    Select to export a YARA rule file.

    The following information is displayed:

    Name

    The name of the YARA rule set.

    File Type

    The file types the YARA rule is applied to.

    Modify Time

    The date and time the YARA rule set was last modified.

    Size

    The size of the YARA rule file.

    Sha256

    The Sha256 checksum of the YARA rule file.

    Status

    The current status (Active or Inactive) of the YARA rule set.
    To upload YARA Rule File:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select Import.
    3. Configure the following settings:

      YARA Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    4. Select OK to import rules.
    5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

    If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.
    To edit a YARA Rule set:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select a YARA Rule.
    3. Click the Edit button from the toolbar.
    4. Configure the following options:

      ID

      YARA ID number. You cannot edit this field.

      Yara Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    5. Click OK to apply changes.
    To delete a YARA rule set:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Delete from the toolbar.
    4. Click Yes I'm sure button from the Are you sure? confirmation box.
    To change the status of a YARA rule set:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Change Status. The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.
      Note

      Regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage. During the VM Engine scan stage, if any dump file hits the regular YARA rule, the Indicators section will show the User-defined YARA with the YARA rule name.

    To import a process memory YARA Rule:

    A process memory YARA Rule differs slightly from other YARA rules. It is used by the VM Engine and is only applied in the VM Engine scan stage whereas a regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage.

    1. Go to Scan Policy and Object > YARA Rules.
    2. Click the Import button.
    3. Input a YARA rule name in the Yara Rule Name field.
    4. Add a description for the YARA Rule if there is no corresponding field contained in the rule's meta section.
    5. In the Apply On: field, click Process Memory. The Rules Risk Level field will be hidden upon click because it is not required for Process Memory.

    6. Click Upload YARA File and select the YARA Rule file.
    7. Click OK.
    To verify when a sample is detected by a process memory YARA rule:

    If a sample is detected by a process memory YARA rule, FortiSandbox will show the following information in the FortiView job details:

    • The Indicators section shows that the sample contains a suspicious pattern with the YARA rule name.
    • The YARA rule and rating are displayed as Behaviors.

    If a sample is detected by multiple process memory YARA rules,FortiSandbox shows all hits and takes the highest scoring YARA rule as the final scan score if no other suspicious behavior is detected.

    Format guidelines for process memory YARA Rules:
    • A rule file must be in plain text format
    • A rule file can contain many rules
    • A rule name must be unique
    • A rule should be in the following format:

      rule Andromeda29_Memory_Pattern

      {

      meta:

      description = "Andromeda29"

      impact = 8

      condition:

      ...

      }

      description: description of the rule, it will show in the indicator if matched

      impact: the impact level of the pattern, range: 0-10, 0-1:clean,2-4: Low Risk,5-7: Medium Risk,8-10:High Risk

    To activate the process memory YARA Rule
    1. Select the YARA Rule in Scan Policy and Object > Yara Rules, then click Change Status to activate the YARA rule. Clicking the Change Status button again will toggle the Status between Active and Inactive.

    To export a YARA rule:
    1. From Scan Policy and Object > Yara Rules, click Export to export this YARA rule in plain text format.

    Previous
    Next

    YARA Rules

    YARA Rules

    YARA is a pattern matching engine for malware detection. It can be applied for files as well as downloaders. The YARA Rules page allows you to upload your own YARA rules. The rules must be compatible with the 3.x schema and put inside ASCII text files.

    For more information about writing YARA rules, see the product documentation.

    FortiSandbox supports following Yara modules:

    Cuckoo, Magic, Dotnet, PE, ELF, Hash, Math and Time. For information about YARA modules, see the production documentation.

    The following options are available:

    Import

    Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

    Edit

    Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

    Delete

    Select to delete a YARA rule file.

    Change Status

    Select to change the status (Active or Inactive) of a YARA rule.

    Export

    Select to export a YARA rule file.

    The following information is displayed:

    Name

    The name of the YARA rule set.

    File Type

    The file types the YARA rule is applied to.

    Modify Time

    The date and time the YARA rule set was last modified.

    Size

    The size of the YARA rule file.

    Sha256

    The Sha256 checksum of the YARA rule file.

    Status

    The current status (Active or Inactive) of the YARA rule set.
    To upload YARA Rule File:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select Import.
    3. Configure the following settings:

      YARA Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    4. Select OK to import rules.
    5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

    If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.
    To edit a YARA Rule set:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select a YARA Rule.
    3. Click the Edit button from the toolbar.
    4. Configure the following options:

      ID

      YARA ID number. You cannot edit this field.

      Yara Rule Name

      Enter a name for the YARA rule set.

      Default Description

      Enter a description of the YARA rule set.

      Rules Risk Level

      Select a rule risk level between 1-10.

      • 0-1: Clean
      • 2-4: Low Risk
      • 5-7: Medium Risk
      • 8-10: High Risk

      All the YARA rules inside the YARA rule file will share the same risk level.

      File Type

      Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

      YARA Rule File

      Choose a text file containing YARA rules.

    5. Click OK to apply changes.
    To delete a YARA rule set:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Delete from the toolbar.
    4. Click Yes I'm sure button from the Are you sure? confirmation box.
    To change the status of a YARA rule set:
    1. Go to Scan Policy and Object > YARA Rules.
    2. Select a YARA Rule set.
    3. Click Change Status. The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.
      Note

      Regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage. During the VM Engine scan stage, if any dump file hits the regular YARA rule, the Indicators section will show the User-defined YARA with the YARA rule name.

    To import a process memory YARA Rule:

    A process memory YARA Rule differs slightly from other YARA rules. It is used by the VM Engine and is only applied in the VM Engine scan stage whereas a regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage.

    1. Go to Scan Policy and Object > YARA Rules.
    2. Click the Import button.
    3. Input a YARA rule name in the Yara Rule Name field.
    4. Add a description for the YARA Rule if there is no corresponding field contained in the rule's meta section.
    5. In the Apply On: field, click Process Memory. The Rules Risk Level field will be hidden upon click because it is not required for Process Memory.

    6. Click Upload YARA File and select the YARA Rule file.
    7. Click OK.
    To verify when a sample is detected by a process memory YARA rule:

    If a sample is detected by a process memory YARA rule, FortiSandbox will show the following information in the FortiView job details:

    • The Indicators section shows that the sample contains a suspicious pattern with the YARA rule name.
    • The YARA rule and rating are displayed as Behaviors.

    If a sample is detected by multiple process memory YARA rules,FortiSandbox shows all hits and takes the highest scoring YARA rule as the final scan score if no other suspicious behavior is detected.

    Format guidelines for process memory YARA Rules:
    • A rule file must be in plain text format
    • A rule file can contain many rules
    • A rule name must be unique
    • A rule should be in the following format:

      rule Andromeda29_Memory_Pattern

      {

      meta:

      description = "Andromeda29"

      impact = 8

      condition:

      ...

      }

      description: description of the rule, it will show in the indicator if matched

      impact: the impact level of the pattern, range: 0-10, 0-1:clean,2-4: Low Risk,5-7: Medium Risk,8-10:High Risk

    To activate the process memory YARA Rule
    1. Select the YARA Rule in Scan Policy and Object > Yara Rules, then click Change Status to activate the YARA rule. Clicking the Change Status button again will toggle the Status between Active and Inactive.

    To export a YARA rule:
    1. From Scan Policy and Object > Yara Rules, click Export to export this YARA rule in plain text format.

    Previous
    Next