Fortinet black logo

EMS Administration Guide

Sandbox Detection

Sandbox Detection

Enable Sandbox Detection. Some options only display if you enable Advanced view.

Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiSandbox Cloud options are unavailable. See Windows, macOS, and Linux endpoint licenses for details on which features each license type includes.

Note

This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox.

Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiSandbox Cloud. FortiSandbox Cloud offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiSandbox Cloud does not offer the full range of features that a FortiSandbox appliance offers. See FortiSandbox Cloud documentation.

IP address/Hostname

Enter the FortiSandbox's IP address or hostname. Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available for a FortiSandbox appliance.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiSandbox Cloud region. See Configuring FortiGuard Services settings.

Time Zone

FortiSandbox Cloud time zone. See Configuring FortiGuard Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiSandbox Cloud requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat, vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt, docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf, arj
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting.

FortiSandbox Detection Verdict Level

Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean).

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources that FortiSandbox trusts:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Other

Hide Sandbox Scan from Windows Explorer's Context Menu

Hide Sandbox scan option from Windows Explorer's right-click context menu.

Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.

Sandbox Detection

Enable Sandbox Detection. Some options only display if you enable Advanced view.

Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiSandbox Cloud options are unavailable. See Windows, macOS, and Linux endpoint licenses for details on which features each license type includes.

Note

This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox.

Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiSandbox Cloud. FortiSandbox Cloud offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiSandbox Cloud does not offer the full range of features that a FortiSandbox appliance offers. See FortiSandbox Cloud documentation.

IP address/Hostname

Enter the FortiSandbox's IP address or hostname. Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available for a FortiSandbox appliance.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiSandbox Cloud region. See Configuring FortiGuard Services settings.

Time Zone

FortiSandbox Cloud time zone. See Configuring FortiGuard Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiSandbox Cloud requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat, vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt, docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf, arj
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting.

FortiSandbox Detection Verdict Level

Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean).

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources that FortiSandbox trusts:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Other

Hide Sandbox Scan from Windows Explorer's Context Menu

Hide Sandbox scan option from Windows Explorer's right-click context menu.

Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.