FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
keithli_FTNT
Staff
Staff
Article Id 198548
Description
This article describes how to use FortiSandbox and FortiClient to scan and detect ransomware like behaviour in malware file samples infected with ransomware used in the Kaseya VSA attack. 

For more information about the Kaseya VSA Supply-Chain ransomware attack, see the following FortiGuard Threat Signal description:



Scope
Configurations involve three products:
    • FortiClient EMS
    • FortiClient
    • FortiSandbox 
FortiClient endpoints managed by FortiClient EMS are protected by forwarding High-Risk files to FortiSandbox for behavioral analysis. If verdict is High-Risk, the file is quarantined and will not be executed.


Solution
The following describes the configurations on FortiClient EMS related to Sandboxing. To be protected, FortiClient endpoints must have Sandbox Detection enabled. When the FortiClient endpoint is managed by FortiClient EMS, it must be registered and have its endpoint profile synchronized with the FortiClient EMS server.

To configure Sandbox Detection on FortiClient EMS:
    1. Go to Endpoint Profiles > Manage Profiles, and create a new profile. Alternatively, edit an existing profile.
    2. Go to the Sandbox tab. Enable Sandbox Detection. 
    3. Sandbox Detection can be performed by FortiSandbox Appliance, or FortiClient Cloud Sandbox. Select the option that applies. 
    4. For Inspection mode, select High-Risk Files.
    5. Enable the option “Wait for FortiSandbox Results before Allowing File Access”. This option ensures that the scan is completed and a verdict is provided before the file can be executed.
    6. Under Remediation action, it is recommended to set the Action to Quarantine. 
    7. Save the profile
Endpoint Profile example using FortiSandbox Appliance:
FCT-EndpointProfile-SandboxAppliance.png

Endpoint Profile example using FortiClient Cloud Sandbox:
FCT-EndpointProfile-SandboxCloud.png

To view results of the detection on FortiSandbox:
    1. On the FortiSandbox, go to Log & Report > File Scan.
    2. Locate the Scan Job associated with the malicious file.
    3. Under the Action column, click the pop-up icon to open the detail report in a new window. For convenience, click the download button on the top right to save a copy of the report. 
    4. The report provides details of the scan job, including an Indicator Summary. 
    5. Indicator Summary will identify “Ransomware like behaviors were detected”
    6. Furthermore, Suspicious Indicator Details will indicate the Rating for the infected file.
FSA-Report-IndicatorSummary.png

Contributors