Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

File On Demand

To view on-demand files and submit new files to be sandboxed, go to Scan Input > File On-Demand. You can drill down the information and apply search filters. You can select to create a PDF or CSV format snapshot report for all on-demand files. Search filters will be applied to the detailed report.

File On-Demand allows you to upload various file types directly to your FortiSandbox device. You can then view the results and decide whether or not to install the file on your network.

FortiSandbox has a rescan feature. When a Suspicious or Malicious file is detected, you can click the ReScan icon to rescan the file. This is useful when you want to understand the file's behavior being executed on the Microsoft Windows host. You can select to bypass Static Scan, AV Scan, Cloud Query, or Sandboxing in the Rescan Configuration dialog box. All rescanned jobs can be found in the On-Demand page.

You can select VM types to do the sandboxing by overwriting what is defined in the Scan Profile. When MACOSX or WindowsCloud VM is selected, the file will be uploaded to the cloud to be scanned. For password protected archive files or Microsoft Office files, write down all possible passwords. The default password list set in the Scan Policy > General page will also be used to extract the archive files.

All files submitted through the JSON API are treated as On-Demand files. Their results will also be shown on this page.

File On-Demand page - level 1

The following options are available:

Submit File

Click the button to submit a new file. You can upload a regular or archived file.

Six levels of file compression is supported. All files in the archive will be treated as a single file.

Show Rescan Job

Jobs either generated from AV Rescan or manually launched Rescan of files can be shown/hidden by this option.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters. Click the cancel icon to the left of the search filter to remove the specific filter. Click the clear all filters icon in the search filter field to clear all filters.

When the search filter is Filename, select the equal icon to toggle between exact search and pattern search.

Refresh

Click the refresh icon to refresh the entries displayed after applying search filters.

Clear all removable filters

Click the trash can icon to clear all removable filters.

Export Data

Click the Export Data button to create a PDF or CSV snapshot report. The time period of included jobs in the report depends on the selection of Time Period drop-down. You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

View Jobs

Click the icon to view the scan job(s) associated with the entry. In this page you can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page. Click the back button to return to the on-demand page.

Pagination

Use the pagination options to browse entries displayed.

This page displays the following information:

Submission Time

The date and time that the file was submitted to FortiSandbox. Use the column filter to sort the entries in ascending or descending order.

Submitted Filename

The file name.

Submitted By

The name of the administrator that submitted the file. Use the column filter to sort the entries in ascending or descending order.

Rating

Hover over the icon in this column to view the file rating. The rating can be one or more of the following: Clean, Low Risk, Medium Risk, High Risk, Malicious, or Other. For archive files, the possible ratings of all files in the archive will be displayed.

During the file scan, the rating is displayed as N/A. If a scan times out or is terminated by the system, the file will have an Other rating.

Status

The scan status can be Queued, In-Process, or Done.

File Count

The number of files associated with the entry. It is in the format of (finished file count)/(total files of this submission) when the scan is In-Progress. When the scan is done, it will display the total number of files in this submission.

Comments

The comments user enters when submitting the file.

Rescan Job

This icon indicates that this file is a rescanned version of another file.

Archive Submission

This icon indicates that an archived file has been submitted for scanning.

Total Jobs

The number of jobs displayed and the total number of jobs.

After a file is submitted, the file might not be visible immediately until the file, or any file, inside an archive file is put into a job queue. In a Cluster setting, the file will not be visible until the file is put into a slave node's job queue.

To view the scan job(s) associated with the entry:
  1. Click the View Jobs icon or double click on the row. The view jobs page is displayed.

    In this page you can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page.

  2. This page displays the following information and options:

    Back

    Click the Back button to return to the On Demand page.

    Search

    Show or hide the search filter field.

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Add Search Filter

    Click the search filter field to add search filters. Click the Cancel icon to the left of the search filter to remove the specific filter.

    When the search filter is Filename, select the Equal icon to toggle between exact search and pattern search.

    View Details

    Click the View Details icon to view file information. The information displayed in the view details page is dependent on the file type and risk level.

    Scan Video

    When the scan is submitted, if Record scan process in video is selected, a video icon is displayed. Clicking it will allow the user to select one VM type in which the scan is done and recorded. Select the VM type to play the video or save it to a local hard disk.

    The order of displayed columns is determined by the settings defined in the System > Job View Settings > File Detection Columns page. For more information, refer to Job View Settings.

    Pagination

    Use the pagination options to browse entries displayed.

  3. Click the View Details icon to view file details. The View Details page will open a new tab. See Appendix A - View Details Page Reference for descriptions of the View Details page.
  4. Click the parent job ID icon to view rescan file details.

    If the parent job is an archive file, the childrens' file names are included in the Archive Files dropdown list. Select a child's file name to view its detail.

  5. Close the tab to exit the View Details page.
To create a snapshot report for all on-demand files:
  1. Select a time period from the first dropdown list.
  2. Select to apply search filters to further drill down the information in the report.
  3. Click the Export Data button in the toolbar, opening the Report Generator window.
  4. Select either PDF or CSV and define the report start and end date and time.
  5. Click the Generate Report button to create the report.

    You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

  6. Click the Close icon or the Cancel button to quit the report generator.

In this release, the maximum number of events you can export to a PDF report is 1,000; the maximum number of events you can export to a CSV report is 15,000. Jobs over that limit will not be included in report.

To submit a file to FortiSandbox:
  1. Click the Submit File button from the toolbar.
  2. You can configure the following:

    Select a File

    Click the Browse button and locate the sample file or archived sample file on your management computer.

    Possible password(s) for archive/office file

    List all possible passwords to extract password protected archive file, or open password protected Microsoft Office file. One password per line. Default password list set in the Scan Policy > General page will also be used to extract the archive files.

    Comments

    Optional comments for future reference.

    Debug Options

    Unchecked by default and enables viewing advanced options.

    Skip

    Select one or more of the following steps to skip. When a step is skipped, the verdict of that step won't be taken:

    • Static Scan
    • AV Scan
    • Cloud Query
    • Sandboxing

    Follow VM Association Settings in Scan Profile

    If the sandboxing step is not skipped, the file will be sent to its associated VMs defined in Scan Profile.

    Force to Scan Inside the Following VMs

    Overwrite VM association settings in Scan Profile by selecting one or more of the enabled VMs.

    Allow Interaction

    Select the Allow Interaction checkbox to interact with the Windows VM. See To use the Allow Interaction Feature: for more information.

    Record scan process in video

    Select to enable video recording. After scan finishes, a video icon will show in the File On-Demand second level detail page. Clicking it will trigger a download or play the video.

  3. Click the Submit button. A confirmation dialog box will be displayed. Click OK to continue. The file will be uploaded to FortiSandbox for inspection.
  4. Click the Close button to exit.

    The file will be listed in the On-Demand page. Once FortiSandbox has completed its analysis, you can select to view the file details.

To use the Allow Interaction Feature:
  1. Go to Scan Input > File On-Demand and click Submit File in the toolbar.
  2. In the Submit New File window, check the Allow Interaction checkbox.
    When selected, only one VM can be specified.
  3. Click Submit.
  4. Go to the Virtual Machine > VM Status page, the job will be launched when a clone of a selected VM is available.

There are two ways to interact with the windows VM:

  1. Use a VNC client and connect to fsa_ip:port. The port number can be found in the Interaction icon tooltip. Click the Interaction icon, the login password will appear in the address bar.
  2. Click the Interaction icon to use web based VNC client. Click Yes in the Do you want to start the scan? popup, the scan will start and the question becomes Do you want to stop the scan?

    Click Yes to stop the scan and the VNC session will close after a few seconds. Go back to the On-Demand page to check the scan result.

The user has 30 minutes to finish the interaction. After that, the VNC session will be closed automatically.

VM Interaction and Scan video recording features are only available to users whose admin profile has Allow On-Demand Scan Interaction enabled.

The VM Interaction feature is only available in a Standalone mode unit or a Master unit in cluster mode. For a Master unit, there should be an enabled VM which is associated with the scanned file's file type.

File On Demand

To view on-demand files and submit new files to be sandboxed, go to Scan Input > File On-Demand. You can drill down the information and apply search filters. You can select to create a PDF or CSV format snapshot report for all on-demand files. Search filters will be applied to the detailed report.

File On-Demand allows you to upload various file types directly to your FortiSandbox device. You can then view the results and decide whether or not to install the file on your network.

FortiSandbox has a rescan feature. When a Suspicious or Malicious file is detected, you can click the ReScan icon to rescan the file. This is useful when you want to understand the file's behavior being executed on the Microsoft Windows host. You can select to bypass Static Scan, AV Scan, Cloud Query, or Sandboxing in the Rescan Configuration dialog box. All rescanned jobs can be found in the On-Demand page.

You can select VM types to do the sandboxing by overwriting what is defined in the Scan Profile. When MACOSX or WindowsCloud VM is selected, the file will be uploaded to the cloud to be scanned. For password protected archive files or Microsoft Office files, write down all possible passwords. The default password list set in the Scan Policy > General page will also be used to extract the archive files.

All files submitted through the JSON API are treated as On-Demand files. Their results will also be shown on this page.

File On-Demand page - level 1

The following options are available:

Submit File

Click the button to submit a new file. You can upload a regular or archived file.

Six levels of file compression is supported. All files in the archive will be treated as a single file.

Show Rescan Job

Jobs either generated from AV Rescan or manually launched Rescan of files can be shown/hidden by this option.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters. Click the cancel icon to the left of the search filter to remove the specific filter. Click the clear all filters icon in the search filter field to clear all filters.

When the search filter is Filename, select the equal icon to toggle between exact search and pattern search.

Refresh

Click the refresh icon to refresh the entries displayed after applying search filters.

Clear all removable filters

Click the trash can icon to clear all removable filters.

Export Data

Click the Export Data button to create a PDF or CSV snapshot report. The time period of included jobs in the report depends on the selection of Time Period drop-down. You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

View Jobs

Click the icon to view the scan job(s) associated with the entry. In this page you can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page. Click the back button to return to the on-demand page.

Pagination

Use the pagination options to browse entries displayed.

This page displays the following information:

Submission Time

The date and time that the file was submitted to FortiSandbox. Use the column filter to sort the entries in ascending or descending order.

Submitted Filename

The file name.

Submitted By

The name of the administrator that submitted the file. Use the column filter to sort the entries in ascending or descending order.

Rating

Hover over the icon in this column to view the file rating. The rating can be one or more of the following: Clean, Low Risk, Medium Risk, High Risk, Malicious, or Other. For archive files, the possible ratings of all files in the archive will be displayed.

During the file scan, the rating is displayed as N/A. If a scan times out or is terminated by the system, the file will have an Other rating.

Status

The scan status can be Queued, In-Process, or Done.

File Count

The number of files associated with the entry. It is in the format of (finished file count)/(total files of this submission) when the scan is In-Progress. When the scan is done, it will display the total number of files in this submission.

Comments

The comments user enters when submitting the file.

Rescan Job

This icon indicates that this file is a rescanned version of another file.

Archive Submission

This icon indicates that an archived file has been submitted for scanning.

Total Jobs

The number of jobs displayed and the total number of jobs.

After a file is submitted, the file might not be visible immediately until the file, or any file, inside an archive file is put into a job queue. In a Cluster setting, the file will not be visible until the file is put into a slave node's job queue.

To view the scan job(s) associated with the entry:
  1. Click the View Jobs icon or double click on the row. The view jobs page is displayed.

    In this page you can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page.

  2. This page displays the following information and options:

    Back

    Click the Back button to return to the On Demand page.

    Search

    Show or hide the search filter field.

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Add Search Filter

    Click the search filter field to add search filters. Click the Cancel icon to the left of the search filter to remove the specific filter.

    When the search filter is Filename, select the Equal icon to toggle between exact search and pattern search.

    View Details

    Click the View Details icon to view file information. The information displayed in the view details page is dependent on the file type and risk level.

    Scan Video

    When the scan is submitted, if Record scan process in video is selected, a video icon is displayed. Clicking it will allow the user to select one VM type in which the scan is done and recorded. Select the VM type to play the video or save it to a local hard disk.

    The order of displayed columns is determined by the settings defined in the System > Job View Settings > File Detection Columns page. For more information, refer to Job View Settings.

    Pagination

    Use the pagination options to browse entries displayed.

  3. Click the View Details icon to view file details. The View Details page will open a new tab. See Appendix A - View Details Page Reference for descriptions of the View Details page.
  4. Click the parent job ID icon to view rescan file details.

    If the parent job is an archive file, the childrens' file names are included in the Archive Files dropdown list. Select a child's file name to view its detail.

  5. Close the tab to exit the View Details page.
To create a snapshot report for all on-demand files:
  1. Select a time period from the first dropdown list.
  2. Select to apply search filters to further drill down the information in the report.
  3. Click the Export Data button in the toolbar, opening the Report Generator window.
  4. Select either PDF or CSV and define the report start and end date and time.
  5. Click the Generate Report button to create the report.

    You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

  6. Click the Close icon or the Cancel button to quit the report generator.

In this release, the maximum number of events you can export to a PDF report is 1,000; the maximum number of events you can export to a CSV report is 15,000. Jobs over that limit will not be included in report.

To submit a file to FortiSandbox:
  1. Click the Submit File button from the toolbar.
  2. You can configure the following:

    Select a File

    Click the Browse button and locate the sample file or archived sample file on your management computer.

    Possible password(s) for archive/office file

    List all possible passwords to extract password protected archive file, or open password protected Microsoft Office file. One password per line. Default password list set in the Scan Policy > General page will also be used to extract the archive files.

    Comments

    Optional comments for future reference.

    Debug Options

    Unchecked by default and enables viewing advanced options.

    Skip

    Select one or more of the following steps to skip. When a step is skipped, the verdict of that step won't be taken:

    • Static Scan
    • AV Scan
    • Cloud Query
    • Sandboxing

    Follow VM Association Settings in Scan Profile

    If the sandboxing step is not skipped, the file will be sent to its associated VMs defined in Scan Profile.

    Force to Scan Inside the Following VMs

    Overwrite VM association settings in Scan Profile by selecting one or more of the enabled VMs.

    Allow Interaction

    Select the Allow Interaction checkbox to interact with the Windows VM. See To use the Allow Interaction Feature: for more information.

    Record scan process in video

    Select to enable video recording. After scan finishes, a video icon will show in the File On-Demand second level detail page. Clicking it will trigger a download or play the video.

  3. Click the Submit button. A confirmation dialog box will be displayed. Click OK to continue. The file will be uploaded to FortiSandbox for inspection.
  4. Click the Close button to exit.

    The file will be listed in the On-Demand page. Once FortiSandbox has completed its analysis, you can select to view the file details.

To use the Allow Interaction Feature:
  1. Go to Scan Input > File On-Demand and click Submit File in the toolbar.
  2. In the Submit New File window, check the Allow Interaction checkbox.
    When selected, only one VM can be specified.
  3. Click Submit.
  4. Go to the Virtual Machine > VM Status page, the job will be launched when a clone of a selected VM is available.

There are two ways to interact with the windows VM:

  1. Use a VNC client and connect to fsa_ip:port. The port number can be found in the Interaction icon tooltip. Click the Interaction icon, the login password will appear in the address bar.
  2. Click the Interaction icon to use web based VNC client. Click Yes in the Do you want to start the scan? popup, the scan will start and the question becomes Do you want to stop the scan?

    Click Yes to stop the scan and the VNC session will close after a few seconds. Go back to the On-Demand page to check the scan result.

The user has 30 minutes to finish the interaction. After that, the VNC session will be closed automatically.

VM Interaction and Scan video recording features are only available to users whose admin profile has Allow On-Demand Scan Interaction enabled.

The VM Interaction feature is only available in a Standalone mode unit or a Master unit in cluster mode. For a Master unit, there should be an enabled VM which is associated with the scanned file's file type.