Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

File On-Demand

To view on-demand files and submit new files to be sandboxed, go to Scan Input > File On-Demand. You can drill down for details and apply search filters. You can select to create a PDF or CSV format report for on-demand files.

Use File On-Demand to upload different file types directly to FortiSandbox. You can then view the results and decide whether to install the file on your network.

FortiSandbox has a rescan feature. When a Suspicious or Malicious file is detected, you can click the ReScan icon to rescan the file. This is useful when you want to understand the file's behavior when run on the Microsoft Windows host. You can force the file to do Sandboxing scan even if was detected in former steps of Static Scan, AV Scan, Cloud Query, or stopped from entering VM by Sandboxing-prefilter setting. All rescanned jobs are listed on the File On-Demand page.

You can select VM types to do the sandboxing by overwriting what is defined in the Scan Profile. When you select MACOSX or WindowsCloud, the file is uploaded to the cloud to be scanned. For password protected archive files or Microsoft Office files, write down all possible passwords. The default password list in the Scan Policy > General page is also used to extract the archive files.

All files submitted through the JSON API are treated as On-Demand files. Their results is also listed on this page.

File On-Demand page - level 1

The following options are available:

Submit File

Click the button to submit a new file. You can upload a regular or archived file.

Six levels of file compression is supported. All files in the archive will be treated as a single file.

Show Rescan Job

Jobs generated from manual rescan can be shown/hidden by this option.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters. Click the cancel icon to the left of the search filter to remove the specific filter. Click the clear all filters icon in the search filter field to clear all filters.

When the search filter is Filename, select the equal icon to toggle between exact search and pattern search.

Refresh

Click the refresh icon to refresh the entries displayed after applying search filters.

Clear all removable filters

Click the trash can icon to clear all removable filters.

Export Data

Click the Export Data button to create a PDF or CSV snapshot report. The time period of included jobs in the report depends on the selection of Time Period drop-down. You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

View Jobs

Click the icon to view the scan jobs associated with the entry. You can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page.

Pagination

Use the pagination options to browse entries displayed.

This page displays the following information:

Submission Time

The date and time that the file was submitted to FortiSandbox. Use the column filter to sort the entries in ascending or descending order.

Submitted Filename

The file name.

Submitted By

The name of the administrator that submitted the file. Use the column filter to sort the entries in ascending or descending order.

Rating

Hover over the icon to view the file rating. The rating can be one or more of the following: Clean, Low Risk, Medium Risk, High Risk, Malicious, or Other. For archive files, the possible ratings of all files in the archive are displayed.

During the file scan, the rating is displayed as N/A. If a scan times out or is terminated by the system, the file will have an Other rating.

Status

The scan status can be Queued, In-Process, or Done.

File Count

The number of files associated with the entry. It is in the format of (finished file count)/(total files of this submission) when the scan is In-Progress. When the scan is done, it will display the total number of files in this submission.

Comments

The comments user enters when submitting the file.

Rescan Job

This icon indicates that this file is a rescanned version of another file.

Archive Submission

This icon indicates that an archived file has been submitted for scanning.

Total Jobs

The number of jobs displayed and the total number of jobs.

After a file is submitted, the file might not be visible immediately until the file, or any file, inside an archive file is put into a job queue. In a cluster setting, the file will not be visible until the file is put into a slave node's job queue.

To view the scan job(s) associated with the entry:
  1. Click the View Jobs icon or double click on the row. The view jobs page is displayed.

    In this page you can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page.

  2. This page displays the following information and options:

    Back

    Click the Back button to return to the On-Demand page.

    Search

    Show or hide the search filter field.

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Add Search Filter

    Click the search filter field to add search filters. Click the Cancel icon to the left of the search filter to remove the specific filter.

    When the search filter is Filename, select the Equal icon to toggle between exact search and pattern search.

    View Details

    Click the View Details icon to view file information. The information displayed in the view details page is dependent on the file type and risk level.

    Scan Video

    When the scan is submitted, if Record scan process in video is selected, a video icon is displayed. Clicking it will allow the user to select one VM type in which the scan is done and recorded. Select the VM type to play the video or save it to a local hard disk.

    The order of displayed columns is determined by the settings defined in the System > Job View Settings > File Detection Columns page. For more information, see Job View Settings.

    Pagination

    Use the pagination options to browse entries displayed.

  3. Click the View Details icon to view file details. The View Details page will open a new tab. For information on the View Details page, see Appendix A - View Details page reference.
  4. Click the parent job ID icon to view rescan file details.

    If the parent job is an archive file, the childrens' file names are included in the Archive Files dropdown list. Select a child's file name to view its detail.

  5. Close the tab to exit the View Details page.
To create a snapshot report for all on-demand files:
  1. Select a time period from the first dropdown list.
  2. Select to apply search filters to further drill down the information in the report.
  3. Click the Export Data button in the toolbar, opening the Report Generator window.
  4. Select PDF or CSV.
  5. Click the Generate Report button to create the report.

    You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

  6. Click the Close icon or the Cancel button to quit the report generator.

In this release, the maximum number of events you can export to a PDF report is 1000; the maximum number of events you can export to a CSV report is 15000. Jobs over that limit will not be included in report.

To submit a file to FortiSandbox:
  1. Click the Submit File button from the toolbar.
  2. You can configure the following:

    Select a File

    Click the Browse button and locate the sample file or archived sample file on your management computer.

    Possible password(s) for archive/office file

    List all possible passwords to extract password protected archive file, or open password protected Microsoft Office file. One password per line. Default password list set in the Scan Policy > General page will also be used to extract the archive files.

    Comments

    Optional comments for future reference.

    Force to scan the file inside VM

    Enable to select advanced options.

    Follow VM Association Settings in Scan Profile

    If the sandboxing step is not skipped, the file will be sent to its associated VMs defined in Scan Profile.

    Force to Scan Inside the Following VMs

    Overwrite VM association settings in Scan Profile by selecting one or more of the enabled VMs.

    Allow Interaction

    Select the Allow Interaction checkbox to interact with the Windows VM. For more information, see To use the Allow Interaction Feature:.

    Record scan process in video if VMs involve

    Select to enable video recording. After scan finishes, a video icon will show in the File On-Demand second level detail page. Clicking it will trigger a download or play the video.

    Add sample to threat package

    If result matches malware package requirement, add scan result to threat package.

    Enable AI

    Use AI engine to scan the file.

  3. Click the Submit button. A confirmation dialog box will be displayed. Click OK to continue. The file will be uploaded to FortiSandbox for inspection.
  4. Click the Close button to exit.

    The file will be listed in the On-Demand page. Once FortiSandbox has completed its analysis, you can select to view the file details.

To use the Allow Interaction Feature:
  1. Go to Scan Input > File On-Demand and click Submit File in the toolbar.
  2. In the Submit New File window, check the Allow Interaction checkbox.
    When selected, only one VM can be specified.
  3. Click Submit.
  4. Go to the Virtual Machine > VM Status page, the job will be launched when a clone of a selected VM is available.

There are two ways to interact with the windows VM:

  1. Use a VNC client and connect to fsa_ip:port. The port number can be found in the Interaction icon tooltip. Click the Interaction icon, the login password will appear in the address bar.
  2. Click the Interaction icon to use web based VNC client. Click Yes in the Do you want to start the scan? popup, the scan will start and the question becomes Do you want to stop the scan?

    Click Yes to stop the scan and the VNC session will close after a few seconds. Go back to the On-Demand page to check the scan result.

The user has 30 minutes to finish the interaction. After that, the VNC session will be closed automatically.

VM Interaction and Scan video recording features are only available to users whose admin profile has Allow On-Demand Scan Interaction enabled.

File On-Demand

To view on-demand files and submit new files to be sandboxed, go to Scan Input > File On-Demand. You can drill down for details and apply search filters. You can select to create a PDF or CSV format report for on-demand files.

Use File On-Demand to upload different file types directly to FortiSandbox. You can then view the results and decide whether to install the file on your network.

FortiSandbox has a rescan feature. When a Suspicious or Malicious file is detected, you can click the ReScan icon to rescan the file. This is useful when you want to understand the file's behavior when run on the Microsoft Windows host. You can force the file to do Sandboxing scan even if was detected in former steps of Static Scan, AV Scan, Cloud Query, or stopped from entering VM by Sandboxing-prefilter setting. All rescanned jobs are listed on the File On-Demand page.

You can select VM types to do the sandboxing by overwriting what is defined in the Scan Profile. When you select MACOSX or WindowsCloud, the file is uploaded to the cloud to be scanned. For password protected archive files or Microsoft Office files, write down all possible passwords. The default password list in the Scan Policy > General page is also used to extract the archive files.

All files submitted through the JSON API are treated as On-Demand files. Their results is also listed on this page.

File On-Demand page - level 1

The following options are available:

Submit File

Click the button to submit a new file. You can upload a regular or archived file.

Six levels of file compression is supported. All files in the archive will be treated as a single file.

Show Rescan Job

Jobs generated from manual rescan can be shown/hidden by this option.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters. Click the cancel icon to the left of the search filter to remove the specific filter. Click the clear all filters icon in the search filter field to clear all filters.

When the search filter is Filename, select the equal icon to toggle between exact search and pattern search.

Refresh

Click the refresh icon to refresh the entries displayed after applying search filters.

Clear all removable filters

Click the trash can icon to clear all removable filters.

Export Data

Click the Export Data button to create a PDF or CSV snapshot report. The time period of included jobs in the report depends on the selection of Time Period drop-down. You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

View Jobs

Click the icon to view the scan jobs associated with the entry. You can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page.

Pagination

Use the pagination options to browse entries displayed.

This page displays the following information:

Submission Time

The date and time that the file was submitted to FortiSandbox. Use the column filter to sort the entries in ascending or descending order.

Submitted Filename

The file name.

Submitted By

The name of the administrator that submitted the file. Use the column filter to sort the entries in ascending or descending order.

Rating

Hover over the icon to view the file rating. The rating can be one or more of the following: Clean, Low Risk, Medium Risk, High Risk, Malicious, or Other. For archive files, the possible ratings of all files in the archive are displayed.

During the file scan, the rating is displayed as N/A. If a scan times out or is terminated by the system, the file will have an Other rating.

Status

The scan status can be Queued, In-Process, or Done.

File Count

The number of files associated with the entry. It is in the format of (finished file count)/(total files of this submission) when the scan is In-Progress. When the scan is done, it will display the total number of files in this submission.

Comments

The comments user enters when submitting the file.

Rescan Job

This icon indicates that this file is a rescanned version of another file.

Archive Submission

This icon indicates that an archived file has been submitted for scanning.

Total Jobs

The number of jobs displayed and the total number of jobs.

After a file is submitted, the file might not be visible immediately until the file, or any file, inside an archive file is put into a job queue. In a cluster setting, the file will not be visible until the file is put into a slave node's job queue.

To view the scan job(s) associated with the entry:
  1. Click the View Jobs icon or double click on the row. The view jobs page is displayed.

    In this page you can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page.

  2. This page displays the following information and options:

    Back

    Click the Back button to return to the On-Demand page.

    Search

    Show or hide the search filter field.

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Add Search Filter

    Click the search filter field to add search filters. Click the Cancel icon to the left of the search filter to remove the specific filter.

    When the search filter is Filename, select the Equal icon to toggle between exact search and pattern search.

    View Details

    Click the View Details icon to view file information. The information displayed in the view details page is dependent on the file type and risk level.

    Scan Video

    When the scan is submitted, if Record scan process in video is selected, a video icon is displayed. Clicking it will allow the user to select one VM type in which the scan is done and recorded. Select the VM type to play the video or save it to a local hard disk.

    The order of displayed columns is determined by the settings defined in the System > Job View Settings > File Detection Columns page. For more information, see Job View Settings.

    Pagination

    Use the pagination options to browse entries displayed.

  3. Click the View Details icon to view file details. The View Details page will open a new tab. For information on the View Details page, see Appendix A - View Details page reference.
  4. Click the parent job ID icon to view rescan file details.

    If the parent job is an archive file, the childrens' file names are included in the Archive Files dropdown list. Select a child's file name to view its detail.

  5. Close the tab to exit the View Details page.
To create a snapshot report for all on-demand files:
  1. Select a time period from the first dropdown list.
  2. Select to apply search filters to further drill down the information in the report.
  3. Click the Export Data button in the toolbar, opening the Report Generator window.
  4. Select PDF or CSV.
  5. Click the Generate Report button to create the report.

    You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

  6. Click the Close icon or the Cancel button to quit the report generator.

In this release, the maximum number of events you can export to a PDF report is 1000; the maximum number of events you can export to a CSV report is 15000. Jobs over that limit will not be included in report.

To submit a file to FortiSandbox:
  1. Click the Submit File button from the toolbar.
  2. You can configure the following:

    Select a File

    Click the Browse button and locate the sample file or archived sample file on your management computer.

    Possible password(s) for archive/office file

    List all possible passwords to extract password protected archive file, or open password protected Microsoft Office file. One password per line. Default password list set in the Scan Policy > General page will also be used to extract the archive files.

    Comments

    Optional comments for future reference.

    Force to scan the file inside VM

    Enable to select advanced options.

    Follow VM Association Settings in Scan Profile

    If the sandboxing step is not skipped, the file will be sent to its associated VMs defined in Scan Profile.

    Force to Scan Inside the Following VMs

    Overwrite VM association settings in Scan Profile by selecting one or more of the enabled VMs.

    Allow Interaction

    Select the Allow Interaction checkbox to interact with the Windows VM. For more information, see To use the Allow Interaction Feature:.

    Record scan process in video if VMs involve

    Select to enable video recording. After scan finishes, a video icon will show in the File On-Demand second level detail page. Clicking it will trigger a download or play the video.

    Add sample to threat package

    If result matches malware package requirement, add scan result to threat package.

    Enable AI

    Use AI engine to scan the file.

  3. Click the Submit button. A confirmation dialog box will be displayed. Click OK to continue. The file will be uploaded to FortiSandbox for inspection.
  4. Click the Close button to exit.

    The file will be listed in the On-Demand page. Once FortiSandbox has completed its analysis, you can select to view the file details.

To use the Allow Interaction Feature:
  1. Go to Scan Input > File On-Demand and click Submit File in the toolbar.
  2. In the Submit New File window, check the Allow Interaction checkbox.
    When selected, only one VM can be specified.
  3. Click Submit.
  4. Go to the Virtual Machine > VM Status page, the job will be launched when a clone of a selected VM is available.

There are two ways to interact with the windows VM:

  1. Use a VNC client and connect to fsa_ip:port. The port number can be found in the Interaction icon tooltip. Click the Interaction icon, the login password will appear in the address bar.
  2. Click the Interaction icon to use web based VNC client. Click Yes in the Do you want to start the scan? popup, the scan will start and the question becomes Do you want to stop the scan?

    Click Yes to stop the scan and the VNC session will close after a few seconds. Go back to the On-Demand page to check the scan result.

The user has 30 minutes to finish the interaction. After that, the VNC session will be closed automatically.

VM Interaction and Scan video recording features are only available to users whose admin profile has Allow On-Demand Scan Interaction enabled.