Fortinet black logo

EMS Administration Guide

Sandbox

Sandbox

Enable Sandbox Detection. Some options only display if you enable Advanced view.

Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiClient Cloud Sandbox options are unavailable. See Windows, macOS, and Linux licenses for details on which features each license type includes.

For each endpoint, FortiClient can send a maximum of 300 files daily to FortiClient Cloud Sandbox. If multiple files are submitted around the same time, FortiClient sends one file to FortiClient Cloud Sandbox, waits until it receives the verdict for that file, then sends the next file to FortiClient Cloud Sandbox.

Note

This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox.

Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

To configure connection to an on-premise FortiSandbox appliance or FortiSandbox Cloud, select Appliance. Select Cloud to configure connection to FortiClient Cloud Sandbox.

FortiClient Cloud Sandbox offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiClient Cloud Sandbox does not offer the full range of features that a FortiSandbox appliance offers. FortiClient Cloud Sandbox is a service that uploads and analyzes files that FortiClient antivirus (AV) marks as suspicious.

If FortiClient Cloud Sandbox is enabled and configured on the assigned profile, FortiClient uploads suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiClient updates its AV database it has the new signature. The turnaround time on Cloud Sandboxing and AV submission ranges from ten minutes for automated FortiClient Cloud Sandbox detection to ten hours if FortiGuard Labs is involved.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that it considers suspicious change depending on the current threat climate and other factors.

FortiClient Cloud Sandbox is only available with the Endpoint Protection Platform license.

IP address/Hostname

For a FortiSandbox appliance, enter the FortiSandbox's IP address, FQDN, or hostname.

Although the IP address/Hostname field is only available when Appliance is selected, you can also configure this option for FortiSandbox Cloud. Enter the FortiSandbox Cloud FQDN and account ID in the Account ID field.

Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available when Appliance is selected.

Account ID

Optional. Enter the FortiSandbox Cloud account ID. You should only use this option when configuring a FortiSandbox Cloud using the FQDN.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiClient Cloud Sandbox region. See Configuring FortiGuard Services settings.

Time Offset

FortiClient Cloud Sandbox time offset. See Configuring FortiGuard Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiClient Cloud Sandbox requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat, vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt, docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf, arj
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting.

FortiSandbox Detection Verdict Level

Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean).

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources trusted by FortiSandbox:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Other

Hide Sandbox Scan from Windows Explorer's Context Menu

Hide Sandbox scan option from Windows Explorer's right-click context menu.

Notification Type

Select the desired notification type to display to end users when FortiClient Cloud Sandbox detects an infected file:

  • Lite: Displays notification balloon when FortiSandbox detects malware in a submission.
  • Full: Displays a popup for all FortiSandbox file submissions.
  • None: Does not display any notification for FortiSandbox file submissions, malware detection, or quarantine.
Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.

Sandbox

Enable Sandbox Detection. Some options only display if you enable Advanced view.

Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiClient Cloud Sandbox options are unavailable. See Windows, macOS, and Linux licenses for details on which features each license type includes.

For each endpoint, FortiClient can send a maximum of 300 files daily to FortiClient Cloud Sandbox. If multiple files are submitted around the same time, FortiClient sends one file to FortiClient Cloud Sandbox, waits until it receives the verdict for that file, then sends the next file to FortiClient Cloud Sandbox.

Note

This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox.

Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

To configure connection to an on-premise FortiSandbox appliance or FortiSandbox Cloud, select Appliance. Select Cloud to configure connection to FortiClient Cloud Sandbox.

FortiClient Cloud Sandbox offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiClient Cloud Sandbox does not offer the full range of features that a FortiSandbox appliance offers. FortiClient Cloud Sandbox is a service that uploads and analyzes files that FortiClient antivirus (AV) marks as suspicious.

If FortiClient Cloud Sandbox is enabled and configured on the assigned profile, FortiClient uploads suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiClient updates its AV database it has the new signature. The turnaround time on Cloud Sandboxing and AV submission ranges from ten minutes for automated FortiClient Cloud Sandbox detection to ten hours if FortiGuard Labs is involved.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that it considers suspicious change depending on the current threat climate and other factors.

FortiClient Cloud Sandbox is only available with the Endpoint Protection Platform license.

IP address/Hostname

For a FortiSandbox appliance, enter the FortiSandbox's IP address, FQDN, or hostname.

Although the IP address/Hostname field is only available when Appliance is selected, you can also configure this option for FortiSandbox Cloud. Enter the FortiSandbox Cloud FQDN and account ID in the Account ID field.

Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available when Appliance is selected.

Account ID

Optional. Enter the FortiSandbox Cloud account ID. You should only use this option when configuring a FortiSandbox Cloud using the FQDN.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiClient Cloud Sandbox region. See Configuring FortiGuard Services settings.

Time Offset

FortiClient Cloud Sandbox time offset. See Configuring FortiGuard Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiClient Cloud Sandbox requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat, vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt, docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf, arj
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting.

FortiSandbox Detection Verdict Level

Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean).

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources trusted by FortiSandbox:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Other

Hide Sandbox Scan from Windows Explorer's Context Menu

Hide Sandbox scan option from Windows Explorer's right-click context menu.

Notification Type

Select the desired notification type to display to end users when FortiClient Cloud Sandbox detects an infected file:

  • Lite: Displays notification balloon when FortiSandbox detects malware in a submission.
  • Full: Displays a popup for all FortiSandbox file submissions.
  • None: Does not display any notification for FortiSandbox file submissions, malware detection, or quarantine.
Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.