Fortinet black logo

Administration Guide

Home FortiNDR 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Static Filter

Static Filter

Use the Static Filter to manage an allow hash list and a block hash list. This is useful when dealing with outbreaks, for example, inserting an outbreak malware hash for FortiNDR to identify as malicious. An example of the opposite use case is if there are certain files administrators determine are clean, hashes in the allowlist are not processed by ANN and AV, and FortiNDR marks them as clean.

The Static Filter contains two lists of file hashes, allowing input of MD5, SHA1, and SHA256 hashes that can alter the verdict of incoming samples.

  • Files with hashes in the Allow List are marked as Clean.
  • Files with hashes in the Deny List are marked as Malicious and tagged with a Detection Name of StaticFilter.AI.D.

The effect of the static filter is prospective. It will only apply to samples received after the filter is added. Adding a duplicate hash entry updates the filter’s timestamp to the current date.

For clashes, such as the same entry in both the Allow List and Deny List, FortiNDR flags the entry with Ambigious type filter so that you remove the conflicting entry.

Log & Report > Threat Report has a button for you to easily add or remove an entry to the Allow List or Deny List.

Previous
Next

Static Filter

Use the Static Filter to manage an allow hash list and a block hash list. This is useful when dealing with outbreaks, for example, inserting an outbreak malware hash for FortiNDR to identify as malicious. An example of the opposite use case is if there are certain files administrators determine are clean, hashes in the allowlist are not processed by ANN and AV, and FortiNDR marks them as clean.

The Static Filter contains two lists of file hashes, allowing input of MD5, SHA1, and SHA256 hashes that can alter the verdict of incoming samples.

  • Files with hashes in the Allow List are marked as Clean.
  • Files with hashes in the Deny List are marked as Malicious and tagged with a Detection Name of StaticFilter.AI.D.

The effect of the static filter is prospective. It will only apply to samples received after the filter is added. Adding a duplicate hash entry updates the filter’s timestamp to the current date.

For clashes, such as the same entry in both the Allow List and Deny List, FortiNDR flags the entry with Ambigious type filter so that you remove the conflicting entry.

Log & Report > Threat Report has a button for you to easily add or remove an entry to the Allow List or Deny List.

Previous
Next