Fortinet black logo

Sandboxing

Sandboxing

The following lists sandboxing general attributes:

<forticlient_configuration>

<sandboxing>

<enabled>1</enabled>

<type>appliance</type>

<address>n.n.n.n</address>

<response_timeout>30</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>1</use_custom_extensions>

<custom_extensions>.exe,.dll,.com</customextensions>

</submit_by_extensions>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>0</exclude_files_and_folders>

<folders>

<folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

</folders>

<files>

<file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

</files>

</exceptions>

<inclusions>

<include_files_and_folders>1</include_files_and_folders>

<folders>

<folder>C:\folder1,C:\path2\to\folder2\</folder>

</folders>

<files>

<file>C:\path\to\file3.txt, C:\path\to\file4.txt</file>

</files>

</inclusions>

<remediation>

<action>quarantine</action>

<on_error>block</on_error>

</remediation>

<detect_level>4</detect_level>

<shell_integration>

<hide_sandbox_scan>0</hide_sandbox_scan>

</shell_integration>

</sandboxing>

</forticlient_configuration>

The following table provides the XML tags for Sandbox, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable Sandbox Detection.

Boolean value: [0 | 1]

<type>

Specify the type of FortiSandbox unit.

<address>

Specify the IP address or FQDN of the FortiSandbox unit.

<response_timeout>

Specify the response timeout value in seconds. File access is allowed if FortiSandbox results are not received when the timeout expires. Set to -1 to infinitely restrict access to the file.

<when> elements

<executables_on_removable_media>

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.
Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Submit all files executed from mapped network drives.

Boolean value: [0 | 1].

<web_downloads>

Submit all web downloads.
Boolean value: [0 | 1].

<email_downloads>

Submit all email downloads.
Boolean value: [0 | 1].

<submit_by_extension> elements

<enabled>

Submit specified file extensions to FortiSandbox for analysis. When disabled, FortiClient does not submit any file extensions to FortiSandbox, but can still retrieve signatures from FortiSandbox.

Boolean value: [0 | 1].

1

<use_custom_extensions>

Enable using a custom list of file extensions.

If enabled, configure the custom list of file extensions using the <custom_extensions> element below.

If disabled, the default list of file extensions is used: exe, dll, msi, cpl, ocx, ps1, swf, swz, jsfl, flv, swc, fla, xfl, jsfl, 7z, xz, bz2, gz, tar, zip, rar, arj, z, pdf, doc, docx, docm, dotx, dotm, dot, rtf, mht, mhtml, odt, xlsx, xl, xlsm, xlsb, xltx, xltm, xls, xlt, xlam, xlw, pptx, pptm, ppt, xps, potx, potm, pot, thmx, pps, ppsx, ppsm, ppt, ppam, odp

Boolean value: [0 | 1].

0

<custom_extensions>

If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas. The example submits .exe, .dll, and .com files to FortiSandbox for analysis.

<exceptions> elements

<exclude_files_from_trusted_sources>

Exclude files signed by trusted sources from FortiSandbox submission.

Boolean value: [0 | 1].

<exclude files_and_folders>

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Boolean value: [0 | 1].

<files>

Specify a list of files to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<folders>

Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<inclusions> elements

<include files_and_folders>

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Boolean value: [0 | 1].

<files>

Specify a list of files to include. Separate multiple files with a comma. Example: C:\path\to\file3.txt, C:\path\to\file4.txt

<folders>

Specify a list of folders to include. Separate multiple folders with a comma. Example: C:\folder1,C:\path2\to\folder2\.

<remediation> elements

<action>

Specify how to handle infected files. FortiClient can quarantine infected files. Enter one of the following:

  • quarantine: quarantine infected files
  • alert: alert the user about infected files but allow access to infected files

<on_error>

Specify how to handle files when FortiClient cannot reach FortiSandbox. You can block or allow access to files. Enter one of the following:

  • block
  • allow

<detect_level>

When the value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0, FortiClient releases the file.

When the value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

When the value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

When the value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

Possible values: [4 | 3 | 2 |1]

4

<hide_sandbox_scan>

Hide Sandbox scan option from Windows Explorer's context menu.

Boolean value: [0 | 1]

Sandboxing

The following lists sandboxing general attributes:

<forticlient_configuration>

<sandboxing>

<enabled>1</enabled>

<type>appliance</type>

<address>n.n.n.n</address>

<response_timeout>30</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>1</use_custom_extensions>

<custom_extensions>.exe,.dll,.com</customextensions>

</submit_by_extensions>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>0</exclude_files_and_folders>

<folders>

<folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

</folders>

<files>

<file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

</files>

</exceptions>

<inclusions>

<include_files_and_folders>1</include_files_and_folders>

<folders>

<folder>C:\folder1,C:\path2\to\folder2\</folder>

</folders>

<files>

<file>C:\path\to\file3.txt, C:\path\to\file4.txt</file>

</files>

</inclusions>

<remediation>

<action>quarantine</action>

<on_error>block</on_error>

</remediation>

<detect_level>4</detect_level>

<shell_integration>

<hide_sandbox_scan>0</hide_sandbox_scan>

</shell_integration>

</sandboxing>

</forticlient_configuration>

The following table provides the XML tags for Sandbox, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable Sandbox Detection.

Boolean value: [0 | 1]

<type>

Specify the type of FortiSandbox unit.

<address>

Specify the IP address or FQDN of the FortiSandbox unit.

<response_timeout>

Specify the response timeout value in seconds. File access is allowed if FortiSandbox results are not received when the timeout expires. Set to -1 to infinitely restrict access to the file.

<when> elements

<executables_on_removable_media>

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.
Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Submit all files executed from mapped network drives.

Boolean value: [0 | 1].

<web_downloads>

Submit all web downloads.
Boolean value: [0 | 1].

<email_downloads>

Submit all email downloads.
Boolean value: [0 | 1].

<submit_by_extension> elements

<enabled>

Submit specified file extensions to FortiSandbox for analysis. When disabled, FortiClient does not submit any file extensions to FortiSandbox, but can still retrieve signatures from FortiSandbox.

Boolean value: [0 | 1].

1

<use_custom_extensions>

Enable using a custom list of file extensions.

If enabled, configure the custom list of file extensions using the <custom_extensions> element below.

If disabled, the default list of file extensions is used: exe, dll, msi, cpl, ocx, ps1, swf, swz, jsfl, flv, swc, fla, xfl, jsfl, 7z, xz, bz2, gz, tar, zip, rar, arj, z, pdf, doc, docx, docm, dotx, dotm, dot, rtf, mht, mhtml, odt, xlsx, xl, xlsm, xlsb, xltx, xltm, xls, xlt, xlam, xlw, pptx, pptm, ppt, xps, potx, potm, pot, thmx, pps, ppsx, ppsm, ppt, ppam, odp

Boolean value: [0 | 1].

0

<custom_extensions>

If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas. The example submits .exe, .dll, and .com files to FortiSandbox for analysis.

<exceptions> elements

<exclude_files_from_trusted_sources>

Exclude files signed by trusted sources from FortiSandbox submission.

Boolean value: [0 | 1].

<exclude files_and_folders>

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Boolean value: [0 | 1].

<files>

Specify a list of files to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<folders>

Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<inclusions> elements

<include files_and_folders>

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Boolean value: [0 | 1].

<files>

Specify a list of files to include. Separate multiple files with a comma. Example: C:\path\to\file3.txt, C:\path\to\file4.txt

<folders>

Specify a list of folders to include. Separate multiple folders with a comma. Example: C:\folder1,C:\path2\to\folder2\.

<remediation> elements

<action>

Specify how to handle infected files. FortiClient can quarantine infected files. Enter one of the following:

  • quarantine: quarantine infected files
  • alert: alert the user about infected files but allow access to infected files

<on_error>

Specify how to handle files when FortiClient cannot reach FortiSandbox. You can block or allow access to files. Enter one of the following:

  • block
  • allow

<detect_level>

When the value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0, FortiClient releases the file.

When the value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

When the value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

When the value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

Possible values: [4 | 3 | 2 |1]

4

<hide_sandbox_scan>

Hide Sandbox scan option from Windows Explorer's context menu.

Boolean value: [0 | 1]