Fortinet black logo

EMS Administration Guide

Sandbox Detection

Sandbox Detection

Enable Sandbox Detection. Some options only display if you enable Advanced view. Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiSandbox Cloud. FortiSandbox Cloud offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiSandbox Cloud does not offer the full range of features that a FortiSandbox appliance offers. See Appendix F - FortiCloud Sandbox.

IP address/Hostname

Enter the FortiSandbox's IP address or hostname. Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available for a FortiSandbox appliance.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiSandbox Cloud region. See Configuring Fortinet Services settings.

Time Zone

FortiSandbox Cloud time zone. See Configuring Fortinet Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiSandbox Cloud requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate.
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the Sandbox <detect_level> setting.

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources trusted by FortiSandbox:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.

Sandbox Detection

Enable Sandbox Detection. Some options only display if you enable Advanced view. Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiSandbox Cloud. FortiSandbox Cloud offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiSandbox Cloud does not offer the full range of features that a FortiSandbox appliance offers. See Appendix F - FortiCloud Sandbox.

IP address/Hostname

Enter the FortiSandbox's IP address or hostname. Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available for a FortiSandbox appliance.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiSandbox Cloud region. See Configuring Fortinet Services settings.

Time Zone

FortiSandbox Cloud time zone. See Configuring Fortinet Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiSandbox Cloud requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate.
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the Sandbox <detect_level> setting.

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources trusted by FortiSandbox:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.