Fortinet black logo

Administration Guide

Home FortiNDR 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Network Share Quarantine

Network Share Quarantine

You can configure multiple quarantine profiles for different Network Share locations. Use different configurations to specify detection files with different levels to separate quarantine locations.

Quarantined files

When a file is quarantined, it creates two files in the quarantine folder:

  • A copy of the original file, and

  • A metadata file.

The metadata file provides information about FortiNDR's verdict of the malicious file, such as the virus name, path (URL), MD5 etc. You can refer to the meta file to understand why the file was moved or copied to the quarantine folder.

The metadata file uses the naming pattern <Network Share File ID>.meta. The file contains the following information:

  • Network Share File ID
  • Network Share ID
  • Network Share Profile Name
  • Scan Task ID
  • File ID
  • Filename
  • URL
  • MD5
  • Detection Name
Example:

Network Share FileID: 351640

SID: 3 (Share ID)

JID: 44 (Job ID)

FileID: 1198941 (File ID)

File Name: sample.vsc

Device: testshared

URL: //172.16.2.100/shared2/2/sample.vsc

MD5: 31e06f25de8b5623c3fdaba93ed2edde

Virus Name: W32/Wanna.A!tr.ransom

DelOriginalFile: Success

Creating a quarantine profile

To create a quarantine profile:
  1. Go to Security Fabric > Network Share Quarantine.
  2. In the toolbar, click Create New. The New Quarantine Location window opens.
  3. Configure the quarantine profile mounting information.

    StatusEnable or Disable.
    Quarantine NameEnter a name for the quarantine profile
    Mount Type

    Select a Network Share protocol from the list. The following protocols are supported:

    • SMBv1.0

    • SMBv2.0

    • SMBv2.1

    • SMBv3.0

    • NFSv2.0

    • NFSv3.0

    • NFS v4.0

    Server IP

    Enter the IP address for the Network Share.

    Share PathEnter the path for the Network Share.
    UsernameEnter the username for the Network Share.
    PasswordEnter the password for the Network Share and then confirm the password.

  4. (Optional) Select Keep Original File At Source Location.
    Note

    Enabling Keep Original File At Source Location may affect the behavior of your Network Share profile. For information, see Combining network share and quarantine profiles.

  5. (Optional) In the Description field, enter a description of the profile.

Combining network share and quarantine profiles

The following table summarizes how enabling Keep Original File At Source Location affects the behavior of the quarantine and sanitize settings in a Network Share profile:

Keep Original File At Source Location Effect

Enable Quarantine for (Critical/High/Med/Low/Password Protected/Other risk)

 Effect
Enabled Keeps the quarantine file in the source location. Enabled

  • Creates a copy of the quarantine file in the quarantine location and renames it <Network Share File ID>.

  • Creates a metafile with the naming pattern <Network Share File ID>.meta for each quarantine file.
Disabled FortiNDR creates a placeholder file with <Filename>.quarantined in the original folder Enabled
  • Copies the quarantine file to the quarantine location and renames it <Network Share File ID>.
  • Creates a metafile with the naming pattern <Network Share File ID>.meta for each quarantine file.
  • If FortiNDR has enough permissions, it will delete the file in the source location.
Tooltip

You can use the Network Share Quarantine location for both the quarantine of malicious files as well the Move/Copy of clean files. However, we recommend creating different folders for clean and malicious files.

Keep original file at source location

Move/Copy clean files to sanitized location

Effect
Enabled Enabled

  • Cleans files in the source location.

  • Copy the clean files to the Network Share Quarantine.

Enabled/Disabled

Disabled

  • FortiNDR scans NFS but does not move or copy the files.

Disabled

Enabled

  • Move the clean files to the Network Share Qaurantine.

  • FortiNDR attempts to delete the original files.
Note

The Move operation involves copying and deleting files. FortiNDR can only delete files if it has sufficient permissions to do so.
Previous
Next

Network Share Quarantine

You can configure multiple quarantine profiles for different Network Share locations. Use different configurations to specify detection files with different levels to separate quarantine locations.

Quarantined files

When a file is quarantined, it creates two files in the quarantine folder:

  • A copy of the original file, and

  • A metadata file.

The metadata file provides information about FortiNDR's verdict of the malicious file, such as the virus name, path (URL), MD5 etc. You can refer to the meta file to understand why the file was moved or copied to the quarantine folder.

The metadata file uses the naming pattern <Network Share File ID>.meta. The file contains the following information:

  • Network Share File ID
  • Network Share ID
  • Network Share Profile Name
  • Scan Task ID
  • File ID
  • Filename
  • URL
  • MD5
  • Detection Name
Example:

Network Share FileID: 351640

SID: 3 (Share ID)

JID: 44 (Job ID)

FileID: 1198941 (File ID)

File Name: sample.vsc

Device: testshared

URL: //172.16.2.100/shared2/2/sample.vsc

MD5: 31e06f25de8b5623c3fdaba93ed2edde

Virus Name: W32/Wanna.A!tr.ransom

DelOriginalFile: Success

Creating a quarantine profile

To create a quarantine profile:
  1. Go to Security Fabric > Network Share Quarantine.
  2. In the toolbar, click Create New. The New Quarantine Location window opens.
  3. Configure the quarantine profile mounting information.

    StatusEnable or Disable.
    Quarantine NameEnter a name for the quarantine profile
    Mount Type

    Select a Network Share protocol from the list. The following protocols are supported:

    • SMBv1.0

    • SMBv2.0

    • SMBv2.1

    • SMBv3.0

    • NFSv2.0

    • NFSv3.0

    • NFS v4.0

    Server IP

    Enter the IP address for the Network Share.

    Share PathEnter the path for the Network Share.
    UsernameEnter the username for the Network Share.
    PasswordEnter the password for the Network Share and then confirm the password.

  4. (Optional) Select Keep Original File At Source Location.
    Note

    Enabling Keep Original File At Source Location may affect the behavior of your Network Share profile. For information, see Combining network share and quarantine profiles.

  5. (Optional) In the Description field, enter a description of the profile.

Combining network share and quarantine profiles

The following table summarizes how enabling Keep Original File At Source Location affects the behavior of the quarantine and sanitize settings in a Network Share profile:

Keep Original File At Source Location Effect

Enable Quarantine for (Critical/High/Med/Low/Password Protected/Other risk)

 Effect
Enabled Keeps the quarantine file in the source location. Enabled

  • Creates a copy of the quarantine file in the quarantine location and renames it <Network Share File ID>.

  • Creates a metafile with the naming pattern <Network Share File ID>.meta for each quarantine file.
Disabled FortiNDR creates a placeholder file with <Filename>.quarantined in the original folder Enabled
  • Copies the quarantine file to the quarantine location and renames it <Network Share File ID>.
  • Creates a metafile with the naming pattern <Network Share File ID>.meta for each quarantine file.
  • If FortiNDR has enough permissions, it will delete the file in the source location.
Tooltip

You can use the Network Share Quarantine location for both the quarantine of malicious files as well the Move/Copy of clean files. However, we recommend creating different folders for clean and malicious files.

Keep original file at source location

Move/Copy clean files to sanitized location

Effect
Enabled Enabled

  • Cleans files in the source location.

  • Copy the clean files to the Network Share Quarantine.

Enabled/Disabled

Disabled

  • FortiNDR scans NFS but does not move or copy the files.

Disabled

Enabled

  • Move the clean files to the Network Share Qaurantine.

  • FortiNDR attempts to delete the original files.
Note

The Move operation involves copying and deleting files. FortiNDR can only delete files if it has sufficient permissions to do so.
Previous
Next