Configuring antivirus settings : Using FortiSandbox antivirus inspection
Using FortiSandbox antivirus inspection
The FortiSandbox appliance and FortiSandbox cloud service are used for automated sample tracking, or sandboxing. You can send suspicious email attachments to FortiSandbox for inspection when you configure antivirus profiles (see “Managing antivirus profiles”). If the file exhibits risky behavior, or is found to contain a virus, the result will be sent back to FortiMail and a new virus signature is created and added to the FortiGuard antivirus signature database as well.
 
If email attachments are sent to FortiSandbox, and the "reject" action is configured in the action profile, the actual action will fallback to "system quarantine" if spam or viruses are detected afterwards.
To add a FortiSandbox unit
1. Go to AntiVirus > FortiSandbox.
2. Enable the FortiSandbox Inspection and configure the following settings:
GUI item
Description
FortiSandbox type
If you use an appliance, specify the appliance’s host name or IP address; If you use the cloud service, make sure you have a valid contract.
To register for FortiSandbox Cloud service
1. Go to Monitor > System Status.
2. Click Log In besides FortiCloud under License Information.
3. Enter the contract license.
Note: If you are running FortiMail HA, you must register all the master and slave units. For active-passive HA, this is to ensure that the slave unit can continue to use the FortiCloud service in case of HA failover. For config-only HA, this is because all the units need to access the service.
Server name/IP
Enter the FortiSandbox host name or IP address. The port to use is 514. If you have a firewall in between FortiMail and FortiSandbox, make this port is allowed.
Test Connection
Click Test Connection to make sure the connection is successful. If the connection fails, check the network connection.
Notification email
This is the email address that FortiSandbox will use to send out notifications and reports. If you want to receive such email, enter your email address. For details, see the FortiSandbox documentation.
Statistics interval
Specify how long FortiMail should wait to retrieve some high level statistics from FortiSandbox. The default interval is 5 minutes. The statistics include how many malwares are detected and how many files are clean among all the files submitted.
Scan timeout
Specify how long FortiMail will wait to get the results.
Scan result expires in
Specify how long FortiMail will cache the results.
Scan mode
Submit and wait for result means to submit email and wait for scan results from FortiSandbox.
Submit only means just to submit email to FortiSandbox and deliver it without waiting for scan results.
File Scan Settings
File types
Select what types of attachment files will be uploaded to FortiSandbox for scanning.
File patterns
Create your own file pattern that will be uploaded to FortiSandbox, for example, *.txt.
File size
Specify the maximum file size to upload to FortiSandbox. You may want to limit the file size to improve performance.
URI Scan Settings
Enable
Enable to scan the URIs to determine if they are malicious or phishing sites.
Note: If you do not want to send any URIs to FortiSandbox, you can do so by adding them to the URL exempt list. For details, see “Configuring the URL exempt list”.
Email selection
Specify to scan URIs in all email or the suspicious email only. Suspicious email messages are those received during spam outbreaks.
URI selection
Specify to scan all URIs or the unrated URIs only. The unrated URIs are the URIs that are tagged as unrated by the FortiGuard antispam service.
Sometimes, FortiMail may not be able to get results from the FortiGuard queries (for example, ratings errors due to network connection failures). In this case, you can choose whether to upload those URIs to FortiSandbox for scanning. Choosing not to upload those URIs may help improving the FortiSandbox performance.
Number of URIs per email
Specify how many URIs will be scanned in one email message.