Sending Files for Sandbox Inspection

Sending files to the FortiSandbox appliance or to FortiCloud does not block files immediately. Instead, the files assist in the discovery of new threats and the creation of new signatures to be added to the global FortiGuard AntiVirus database. Files deemed malicious are also immediately added to a custom Malware Package which is sent to the FortiGate every two minutes for live remediation.

Options for sending files for Sandbox Inspection differ between FortiOS 5.4 and FortiOS 5.4.1. Go to Security Profiles > AntiVirus to set those options.

FortiOS 5.4

There are three options concerning what type of files can be sent for sandbox inspection: All Files, Suspicious Files, or Executable Files.

All Files is the recommended selection to increase the likelihood of detecting unknown malware.

If Suspicious Files is selected, then the FortiGate will examine each file and determine if it should be considered suspicious. A file is deemed suspicious when it does not contain a known threat but has characteristics that suggest it may be malware. The characteristics that determine if a file is suspicious are updated by Fortinet to reflect the current threat climate.

If Executable Files is chosen, all executable files will be sent to FortiSandbox while other file types are not inspected.

FortiOS 5.4.1

There are two options for sending files for sandbox inspection: None or All Supported Files. If All Supported Files is selected, users can withhold files from being submitted for inspection by type or name pattern.