FortiClient supports integration with FortiSandbox, including on-premise FortiSandbox appliances and FortiSandbox Cloud. When configured, FortiSandbox automatically scans files downloaded on the endpoint or from removable media attached to the endpoint or mapped network drives. FortiClient also automatically scans files downloaded with an email client on the endpoint or from the Internet. In each case, if the file is not detected locally, and FortiSandbox integration is configured, FortiClient sends the file to the FortiSandbox for further analysis. Endpoint users can also manually submit files to FortiSandbox for scanning.
Access to files can be blocked until the FortiSandbox scanning result is returned.
When scanning is complete, FortiClient can quarantine/deny access to infected files or alert and notify the endpoint user of infected files without quarantining the files. If FortiSandbox sends a verdict to FortiClient indicating that the file is malicious, FortiClient also sends the results to EMS.
As FortiSandbox receives files for scanning from various sources, it collects and generates AV signatures for such samples. FortiClient periodically downloads the latest AV signatures from FortiSandbox, and applies them locally to all realtime and on-demand AV scanning.
FortiClient can send a maximum of 300 files daily to FortiSandbox Cloud. If multiple files are submitted around the same time, FortiClient sends one file to FortiSandbox Cloud, waits until it receives the verdict for that file, then sends the next file to FortiSandbox Cloud.
If configured by the EMS administrator, FortiClient submits files with specified extensions to FortiSandbox. See the FortiClient EMS Administration Guide for details.