Fortinet black logo

Administration Guide

Home FortiNDR 7.1.0 Administration Guide
7.1.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Loading the ANN database to FortiNDR for malware detection

Loading the ANN database to FortiNDR for malware detection

FortiNDR utilizes both FortiGuard updates to local DB as well as lookup for detecting network anomalies. For full list of updates please refer to Appendix D - FortiGuard Updates for details. The section below discusses one of the updates: ANN for malware detection.

The ANN (Artificial Neural Network) database enables scanning of malware using accelerated ANN. Unlike AV signatures, ANN DB does not require updates daily. ANN is only updated once or twice a week to enable detection of the latest malware.

There are two ways to update ANN. You can update using FDN (FortiGuard Distribution Network) if internet is available, or on Fortinet support website after the product is registered.

Currently FortiGuard updates are available via US, EMEA and Japan. Depending on your location, manual update might be faster. The average time of ANN update via Internet is about 1–2 hours. Using the local CLI takes about 10 minutes.

To update the ANN database using CLI:

execute restore kdb {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}

To update the ANN database by downloading from FDN to the FortiNDR device:
  1. Format a USB drive in another Linux machine using the command fdisk /dev/sdc.

    Ensure the USB drive has enough capacity and create one partition using EXT4 or EXT3 format.

  2. Format sdc1 using the mkfs.ext4 /dev/sdc1 command.

    Note

    FortiTester is a great companion for FortiNDR as FortiTester can send a malware strike pack over different protocols such as HTTP, SMB, SMTP, to simulate malware in the network. You can use FortiTester to generate malware and test FortiNDR for detection.

    The following is an example of the result.

  3. Copy moat_kdb_all.tar.gz and pae_kdb_all.tar.gz to the root directory of USB drive, in this example, /AI_DB.

    The following is an example of the result.

  4. Copy the files onto the FortiNDR by mounting the USB drive on the FortiNDR device and using the execute restore kdb disk pae_kdb_all.tar.gz and the execute restore kdb disk moat_kdb_all.tar.gz commands.

  5. To verify the ANN database in the GUI, go to System > FortiGuard.

  6. To verify the ANN database in the CLI, use the diagnose kdb command and check that there are four KDB Test Passed status lines.

    You can check the latest version of FortiNDR ANN at https://www.fortiguard.com/services/fortindr.

Note

When you have finished using the USB or SSD drive, remove the drive from FortiNDR. Some disk-related CLI commands such as execute factoryreset, execute partitiondisk, or diagnose hardware sysinfo might treat the additional disk as the primary data partition.
Previous
Next

Loading the ANN database to FortiNDR for malware detection

FortiNDR utilizes both FortiGuard updates to local DB as well as lookup for detecting network anomalies. For full list of updates please refer to Appendix D - FortiGuard Updates for details. The section below discusses one of the updates: ANN for malware detection.

The ANN (Artificial Neural Network) database enables scanning of malware using accelerated ANN. Unlike AV signatures, ANN DB does not require updates daily. ANN is only updated once or twice a week to enable detection of the latest malware.

There are two ways to update ANN. You can update using FDN (FortiGuard Distribution Network) if internet is available, or on Fortinet support website after the product is registered.

Currently FortiGuard updates are available via US, EMEA and Japan. Depending on your location, manual update might be faster. The average time of ANN update via Internet is about 1–2 hours. Using the local CLI takes about 10 minutes.

To update the ANN database using CLI:

execute restore kdb {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}

To update the ANN database by downloading from FDN to the FortiNDR device:
  1. Format a USB drive in another Linux machine using the command fdisk /dev/sdc.

    Ensure the USB drive has enough capacity and create one partition using EXT4 or EXT3 format.

  2. Format sdc1 using the mkfs.ext4 /dev/sdc1 command.

    Note

    FortiTester is a great companion for FortiNDR as FortiTester can send a malware strike pack over different protocols such as HTTP, SMB, SMTP, to simulate malware in the network. You can use FortiTester to generate malware and test FortiNDR for detection.

    The following is an example of the result.

  3. Copy moat_kdb_all.tar.gz and pae_kdb_all.tar.gz to the root directory of USB drive, in this example, /AI_DB.

    The following is an example of the result.

  4. Copy the files onto the FortiNDR by mounting the USB drive on the FortiNDR device and using the execute restore kdb disk pae_kdb_all.tar.gz and the execute restore kdb disk moat_kdb_all.tar.gz commands.

  5. To verify the ANN database in the GUI, go to System > FortiGuard.

  6. To verify the ANN database in the CLI, use the diagnose kdb command and check that there are four KDB Test Passed status lines.

    You can check the latest version of FortiNDR ANN at https://www.fortiguard.com/services/fortindr.

Note

When you have finished using the USB or SSD drive, remove the drive from FortiNDR. Some disk-related CLI commands such as execute factoryreset, execute partitiondisk, or diagnose hardware sysinfo might treat the additional disk as the primary data partition.
Previous
Next