The cloud-based malware protection feature helps protect endpoints from high risk file types from external sources such as the Internet or network drives by querying FortiGuard to determine whether files are malicious. The following describes the process for cloud-based malware protection:
- A high risk file is downloaded or executed on the endpoint.
- FortiClient generates a SHA1 checksum for the file.
- FortiClient sends the checksum to FortiGuard to determine if it is malicious against the FortiGuard checksum library.
- If the checksum is found in the library, FortiGuard communicates to FortiClient that the file is deemed malware. By default, FortiClient quarantines the file.
This feature only submits high risk file types such as .exe, .doc, .pdf, and .dll to FortiGuard. The list of high risk file types is the same as the list of file types submitted to Sandbox by default. See the FortiClient EMS Administration Guide for details.
For details on seeing quarantined files, see Viewing quarantined files.