Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Appendix E - Create a custom VM image using your own ISO

There are different ways to create and configure custom virtual machines on HA clusters. For AWS and Azure cloud implementations, see the FortiSandbox VM on AWS and FortiSandbox VM on Azure Guides.

For FSA-1000D, FSA-3000D, FSA-3500D, and VM, the maximum number of clones for all VM types for the whole system is limited to the Windows license shipped with the unit.

For FSA-2000E and FSA-3000E, the maximum number of clones for default VMs and optional VMs is limited to the Windows license and the number of stacked licenses provided by Fortinet.

For custom VMs, the maximum number of clones is 20 on FSA-2000E and 48 on FSA-3000E.

Activate all custom VMs before uploading to the unit. Purchase licenses from Microsoft distributors to do activation.

We recommend that custom VM image size to be smaller than 10GB.

The guest VM images published by Fortinet might not reflect the user’s working environment. For example, the current Windows 8 and Windows 10 images do not have Microsoft Office software installed. You can create your own guest image, install software running in your environment, and upload the image to the unit to scan files. You can create the guest image on top of your Golden Image or Master Image to best simulate your OS installations. This document provides instructions on how to create and configure them.

You can use the VMs provided by Fortinet or create your own. If you want to create a custom image using pre-configured VMs, see Appendix D - Create a custom VM image using pre-configured VMs.

Use the following steps to create a custom VM image using your own ISO:

1. Download and install Oracle VM VirtualBox

2. Prepare the operating system installation package

3. Create a custom image in VirtualBox

4. Install software and components on the custom VM image

5. Modify the VM image environment

6. Setup FortiSandbox Tracer Engine Launcher

7. Install the custom VM image on FortiSandbox

1. Download and install Oracle VM VirtualBox

Download VirtualBox from https://download.virtualbox.org/virtualbox/5.2.34/VirtualBox-5.2.34-133893-Win.exe. The checksum is in https://fsavm.fortinet.net/vmtools/md5.txt.

For help with VirtualBox installation and troubleshooting, see the VirtualBox User Manual.

VirtualBox is an open source software licensed under GNU General Public License V2 license. For license information, see https://www.virtualbox.org/wiki/Licensing_FAQ.

Mac OS is not supported.

2. Prepare the operating system installation package

In FortiSandbox 3.2.0, the following operating systems can be used to build a custom VM image.

  • Microsoft Windows Server 2003 32 bit
  • Microsoft Windows 7 32/64 bit
  • Microsoft Windows 8.1 32/64 bit
  • Microsoft Windows 10 32/64 bit
  • Microsoft Windows Server 2008 32/64 bit
  • Microsoft Windows Server 2012 64 bit
  • Microsoft Windows Server 2016 64 bit
  • Microsoft Windows Server 2019 64 bit

The installation package of above operating systems should be packaged as an ISO file. The ISO file should be copied to the host installed with VirtualBox.

The Windows Operating System is available from Microsoft and Microsoft Channel Partners. Fortinet does not provide their installation package, their support or their license rights.

To support 64-bit operating systems, hardware virtualization must be enabled on motherboard BIOS on the host installed with VirtualBox.

3. Create a custom image in VirtualBox

  1. Launch VirtualBox and click New.

    Name

    Name of the new image. The name cannot be more than 15 characters.

    The following VM image names are reserved by Fortinet. Do not uses these names for custom images.

    • WINXPVM
    • WINXPVM1
    • WIN7X86VM
    • WIN7X64VM
    • WIN7X64SP1
    • WIN7X86SP1O16
    • WIN7X86VMO16
    • WIN8X64VMO16
    • WIN81X86VM
    • WIN81X64VM
    • WIN81X64VMO16
    • WIN10X86VM
    • WIN10X64VM
    • WIN10X64VMO16

    Type

    Select Microsoft Windows.

    Version

    Select the Windows version.

  2. Click Next.
  3. In the Memory Size page, allocate the base memory size.

    Windows Server 2003 32 bit

    512MB

    Windows 7, 8, 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2016

    1024MB

  4. Click Next.
  5. In the Hard Drive page, select Create a virtual hard drive now and click Create.
  6. In the Hard drive file type page:
    • If you are using Windows, select VirtualBox Disk Image (.vdi) format and click Next.
    • If you are using AWS or Azure, select Virtual Hard Disk (.vhd) format and click Next.
  7. In the Storage on physical hard drive page:
    • If you are using Windows or AWS, select Dynamic size and click Next.
    • If you are using Azure, select Fixed size and click Next.
  8. In the File location and size page, set the path of the virtual disk file (optional) and allocation 20GB virtual disk size for the VM; then click Create.

    The VM is created and appears in the left pane.

  9. Click Settings or right-click the VM image name to configure the VM image settings.
    1. Go to General > Advanced and apply the following settings.
      Caution

      Ensure the Snapshot Folder has no spaces in the file path because when you upload the .vdi file to FortiSandbox, the CLI does not accept spaces in the file path.

    2. Go to System > Motherboard and apply the following settings.
      For Windows Server 2003 32 bit:

      For Windows 7, Server 2008, 8, 10, Server 2012, Server 2016, Server 2019:

      Processor Tab

       

      Processor(s)

      1

       

      Execution Cap

      100

       

      Enable PAE/NX

      Enable

      Acceleration Tab

       

      Enable VT-x/AMD-V

      Enable

       

      Enable Nested Paging

      Enable

    3. For Display, keep the default settings.
    4. Go to Storage, and apply the following settings:
      If the operating system is Windows Server 2003 32 bit:
      1. Click Controller: IDE, set Type to PIIX 4 and enable Use host I/O cache.
      2. Click the Empty Optical Drive node and ensure the CD/DVD Drive is set as the IDE Secondary Master.
      3. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
      If the operating system is Windows 10 or Windows Server 2019:
      1. Click Controller: SATA node, then right-click and select Remove Controller to remove it.
      2. Right-click the Storage Tree panel and select Add IDE Controller.
      3. Click the Add Hard Disk icon.

      4. Click Choose existing disk and select the virtual disk file (*.vdi) that was created in the previous steps. Ensure the *.vdi is set as the IDE Primary Master.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click the Add Optical Drive icon and then click the Leave empty button. Ensure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
      If the operating system is Windows 7, 8, Server 2008, Server 2012, Server 2016:
      1. Click Controller: SATA node, then right-click and select Remove Controller to remove it.
      2. Right-click the Storage Tree panel and select Add IDE Controller.
      3. Click the Add Hard Disk icon.

      4. Click Choose Existing Disk and select the virtual disk file (*.vdi) that was created in the previous steps.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click the Empty Optical Drive node and ensure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
      If the operating system is Windows 10 for AWS or Azure:
      1. Click Controller: SATA node, then right-click and select Remove Controller to remove it.
      2. Right-click the Storage Tree panel, and select Add IDE Controller.
      3. Click the Add Hard Disk icon.

      4. Click Choose Existing Disk and select the virtual hard disk file (*.vhd) that was created in the previous steps. Ensure the *.vhd is set as the IDE Primary Master.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click the Add Optical Drive icon and then click the Leave empty button. Ensure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
    5. Go to Audio, and uncheck the Enable Audio checkbox.
    6. Go to Network, and apply the following settings:
      If the operating system is Windows Server 2003 32 bit:

      Adapter 1 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Enable

      Adapter 2 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Enable

      If the Operating System is Windows 7, 8, 10, Windows Server 2008, Windows Server 2012, or Windows Server 2016:

      Adapter 1 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Enable

      Adapter 2 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Enable

    7. In Serial Ports, keep the default settings.
    8. In USB, disable Enable USB Controller.
    9. In Shared Folders, ensure no shared folders exist.
  10. Click OK.
  11. In the VirtualBox Manager page, click the Start icon to turn on the image. The operating system starts installing. Follow the on-screen instructions to complete the installation.

4. Install software and components on the custom VM image

After installing a custom VM image, install applications and components for your environment such as the following:

  • .Net Framework
  • Microsoft Office Suite
  • Adobe Acrobat Reader
Use one of the following ways to install software and components on the custom VM image:
  • Put installers in a computer on a management network where the VM image can download them using HTTP, FTP, or network share. Configure the VM image network settings to access the host computer.
  • Package the installation package as an ISO file in VirtualBox Manager, select the VM image and go to the Settings page.

    Then go to Storage > Empty optical drive node > disk icon > Choose a virtual CD/DVD disk file, select the ISO file. Then inside the VM image, go to drive D to install the software.

After installing software or a component, verify that the installation is successful in Control Panel > Add or Remove Programs or Control Panel > Programs and Features.

Disable automatic update of software.

Use a text editor and create a meta file, enter in the installed applications for this VM image. The meta file will be used later and its content is displayed in the Scan Profile > Installed Applications of FortiSandbox.

Certain software needs to be configured to associate with the file types as the default application. For example, Adobe Reader needs to be launched after installation to be the default PDF application.

All applications that are used during a job scan should be launched after installation to finish their initialization. This is especially important for software like web browsers such as Internet Explorer, Adobe Reader and Microsoft Office software.

For Windows 10 or Windows Server 2019, the default web browser is Windows Edge which FortiSandbox does not currently support. We recommend changing the default web browser to Internet Explorer. To do that:

  1. Go to Start > Settings > System > Apps > Default apps.
  2. Click Web Browser and select Internet Explorer.

Activate Windows OS and other installed software.

Fortinet is not responsible for software support and licensing.

5. Modify the VM image environment

If the operating system is Windows Server 2003 32 bit:
  1. Go to Control Panel >Security Center and disable Windows Automatic Updates.
  2. Disable all antivirus software.
  3. Go to Start > right-click My computer > click Properties.

    In Hardware tab, click Driver Signing button and select Ignore – Install the software anyway and don’t ask for my approval.

    In Advanced tab, click the Error Reporting button and check Disable the Error Reporting function. Also, uncheck But notify me when critical errors occur.

    In System Restore tab, make sure the System Restore function is off.

  4. Make sure the built-in Administrator account is enabled. Open a command prompt and execute net user Administrator /active:yes.
  5. Setup Administrator auto-login:
    1. Open a command prompt and enter control userpasswords2. This will open the User Accounts page.
    2. Uncheck Users must enter a user name and password to use this computer to ensure the Administrator has automatic login privileges
    3. Click Apply.
    4. Use Administrator as the login account, password is optional.
    5. Go to the User Accounts > Advanced tab.
    6. Under Advanced User Manager > click the Advanced button to open the lusrmgr page.
    7. Click the Users folder to select the Administrator and edit its properties.
    8. Make sure its password never expires.
    9. Note

      For steps 4 and 5, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  6. Open a command prompt and enter powercfg /h off to disable host hibernation if it is supported.
  7. Go to Control Panel > Display Properties, navigate to Screen Saver tab and select None from the Screen Saver dropdown menu.
  8. Go to Control Panel > Network Connection, and rename the following:

    Local Area Connection 1

    renamed to:

    eth0

    Local Area Connection 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page:

    1. Click Start > Run, type cmd.exe, and then press ENTER.
    2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
    3. Type Start DEVMGMT.MSC, and then press ENTER.
    4. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.
  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder.

    To maximize catch rate, it is recommended the Windows Firewall is disabled. To do that, go to Control Panel > Security Center > Windows Firewall and turn it off.

If the operating system is Windows 7 or Server 2008:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change. From the dropdown menu, select Never check for updates.
  2. Disable Windows Defender or any installed antivirus software. Go to Start menu and type Windows Defender to locate and launch it. Click Tools > Options > Administrator, uncheck Use this program check box, click Save.
  3. Go to Control Panel > System and Security > Action Center > Change Action Center settings, uncheck every item. Click Problem Reporting settings, check Never check for solution.
  4. Run a command prompt as the Administrator and enter powercfg /h off to disable host hibernation.
  5. Go to Control Panel > Appearance and Personalization > Change screen saver, select (None) from the Screen Saver dropdown list.
  6. Make sure Administrator account is enabled. Go to the Start menu, search command prompt. Right-click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Setup auto-login for the Administrator account.
    1. Open a command prompt and type in control userpasswords2. This will open the User Accounts page.
    2. Make sure the Administrator account has the automatically login privilege by un-checking option Users must enter a user name and password to use this computer.
    3. Click Apply.
    4. Use Administrator as the login account, and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Under the User Accounts > Advanced tab > Advanced User Management > click the Advanced button button to open the lusrmgr page.
    7. Click on the Users Folder to select Administrator and edit its properties.
    8. Make sure its password never expires.
      Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder to save disk space.
  10. If the Windows Firewall is on, go to Control Panel > System and Security > Windows Firewall > Advanced Settings. If the Windows Firewall is off, the following steps are not necessary:
    1. Click on Inbound Rules > Add New Rule > click Program.
    2. Check This Program Path and type: c:\Windows\System32\ftp.exe. Then, click Next.
    3. Check Allow the Connection, then click Next.
    4. Provide a name for the rule such as Allow FTP.
    5. Click Finish.

      Follow these steps to create Outbound Rules for the same executable.

      To maximize the catch rate, it is recommended to configure the following settings:

      1. Turn off Windows Firewall

        Go to Control Panel > System and Security > Windows Firewall > Customize Settings page and turn it off for both private and public networks.

      2. Turn off UAC (User Account Control Settings)

        Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

      3. Use public profile for all unidentified networks

        Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right-click Unidentified Networks > Properties, change Location Type to Public, click OK.

      4. Turn off system protection for hard drive

        Go to the Start menu, right-click Computer > Properties > System protection > System Protection tab > Protection Settings > Local Disk (C:) > Configure, check Turn off system protection, click OK.

  11. If the Windows Firewall is off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored

If the operating system is Windows 8, Server 2012, or Server 2016:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change Settings. Change the dropdown menu to Never Check for Updates.
  2. If the operating system is Windows 8, disable Windows Defender or any installed antivirus software. Go to the Start menu and type Windows Defender to locate and launch the program. Go to Settings > Real Time Protection and uncheck the Turn on Real-Time Protection.
  3. In the Control Panel > System Security > Action Center page, expand the Maintenance section. Click on the settings under the Check for solutions to problem reports, select Never check for solution to disable the Action Center notifications. In the Action Center > Change Action Center Settings page, uncheck every item and click OK.
  4. Command prompt as Administrator and enter powercfg /h off to disable the host hibernation.
  5. Right-click on the Desktop and select Personalize. Navigate to the Screen Saver settings. Change the Screen Saver dropdown list to None to disable the Screen Saver.
  6. Make sure the Administrator account is enabled. Go to the Start Menu and search for the Command Prompt. Right-click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Set up auto-login for the Administrator account.
    1. Open a command prompt and enter control userpasswords2 to open User Accounts.
    2. Make sure the Administrator has automatically login privilege enabled by unchecking the Users must enter a user name and password to use this computer option.
    3. Click Apply.
    4. User the Administrator as the login account and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Go to Advanced User Management > click the Advanced button to open the lusrmgr page.
    7. Click on the Users folder, and select Administrator to edit its properties
    8. Make sure its password never expires.
    9. Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network Sharing > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to Start menu > enter Run...> enter %TEMP% and press enter. The %TEMP% folder will appear. Delete everything in the folder.
  10. Go to Control Panel > Appearance and Personalization > Taskbar and Navigation.
  11. In the Navigation tab, check When I sign in or close all apps on a screen, go to the desktop instead of start in the Start screen area checkbox. click OK to save the change.

    To maximize the catch rate, it is recommended to configure the following settings:

    1. Turn off Windows Firewall

      Go to Control Panel > Windows Firewall. Select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. If the operating system is Windows 8, use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right-click Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. If the operating system is Windows 8, turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. Navigate to System Protection tab, select Configure..., and select Disable system protection.

  12. If the Windows Firewall is turned off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand (remove this line for Server 2012 and Server 2016 OS)

    net start wscsvc (remove this line for Server 2012 and Server 2016 OS)

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored.

If the operating system is Windows 10 or Windows Server 2019:
  1. Disable Windows Defender and other antivirus software. Go to Windows Defender Settings and uncheck Turn on Real-Time Protection.
  2. Run the command gpedit.msc and click OK to open the Local Group Policy Editor.
  3. In the left pane, go to Computer Configuration > Administrative Templates > Windows Components > Windows Defender.
  4. In the right pane, double-click Turn off Windows Defender policy to edit it. Click OK to save the change.
  5. Go to Start > Settings > System > Notifications & Actions and turn off all notifications.
  6. Open a command prompt as the Administrator and enter powercfg /h off to disable hibernation.
  7. Right-click on the Desktop and select Personalize. Go to the Screen Saver setting and change the Screen Saver dropdown list to None to disable the Screen Saver.
  8. Ensure the Administrator account is enabled. Run the command net user Administrator /active:yes.
  9. Setup auto-login for the Administrator account.
    1. Run the command control userpasswords2 to open User Accounts.
    2. Ensure the Administrator account can automatically log in by unchecking Users must enter a user name and password to use this computer.
    3. Click Apply.
    4. Use Administrator as the login account; the password is optional.
    5. Go to Users Accounts > Advanced.
    6. In Advanced user management click Advanced to open the lusrmgr page.
    7. Go to Users > Administrator and edit its properties.
    8. Ensure its password never expires.
    9. Turn on automatic logon in the registry. In the registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and set both DefaultUserName and LastUsedUsername to Administrator.
    10. Note

      Ensure the name of the Administrator account is in the local language. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  10. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings and rename the following:
    • Rename Ethernet 1 to eth0
    • Rename Ethernet 2 to eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You might need to swap eth0 and eth1 names to make the custom image to work on FortiSandbox.

    If the system doesn't allow renaming to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they don't appear in the Network Connections page, do the following:

    1. Run the command set devmgr_show_nonpresent_devices=1.
    2. Run the command Start DEVMGMT.MSC.
    3. Click View > Show Hidden Devices.
    4. Expand Network Adapters, right-click the grayed out network adapters, and select Uninstall.
  11. Run the command %TEMP% to open the %TEMP% folder. Delete everything in this folder.

    To maximize the catch rate, we recommend configuring the following settings:

    1. Turn off Windows Firewall

      In Control Panel > System and Security > Windows Firewall, select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in the Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. Use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right-click Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. Turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. In the System Protection tab, select Configure..., and select Disable system protection.

  12. If Windows Firewall is turned off, execute the following commands:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    Ignore the warning message about netsh firewall.

    When you run sc config mpssvc start= demand, you might get the error [SC] OpenService FAILED 5: Access is denied.

    To correct this error:
    1. Open the registry editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc\Security.
    2. Rename Security to Security.old.
    3. Close the registry editor and restart Windows.
    4. Open a CLI window as the administrator and enter the following command:
      sc.exe sdset mpssvc D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
    5. Run the sc config mpssvc start= demand command again.

    When you run sc config wscsvc start= demand, you might get the error [SC] OpenService FAILED 5: Access is denied..

    To correct this error:
    1. Open the registry editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc.
    2. Change the value of Start to 3.
    3. Close the registry editor and restart Windows.
  13. Enable Allow remote connections to this computer for the Administrator account.

    If there is no password for the Administrator account, you must allow remote desktop login without password. Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Local Policies > Security Options and set Accounts: Limit local account use of blank passwords to console logon only to Disable.

  14. Configure enhanced security options for Internet Explorer:
    1. In the top right of Internet Explorer, go to Tools > Internet Options > General > Home page and click Use new tab.
    2. Go to Tools > Internet Options > Security and set the Security level for all zones to the lowest and disable Enable Protected Mode.
    3. Go to Tools > Internet Options > Privacy and disable Turn on Pop-up Blocker.
  15. If the VM image is for FortiSandbox on Azure, set up FortiSandbox engine for Azure and install the customized VM image on Azure.
    1. Create a FSALauncher folder on C drive.
    2. In the VM image, use a web browser to download the latest FSALauncher.exe file into the FSALauncher folder:
    3. Add the FSALauncher.exe or FSALauncher_x64.exe for 64bit as an auto-startup program using the Startup folder or Task Scheduler.
      • Go to Start > Run, enter shell:startup to open the Startup folder and paste the FSALauncher program into it.
    4. Create an empty tracer folder on C drive and give full access to Administrator.
    5. Upload the VM image's vhd file onto a server that the FortiSandbox firmware can access, such as an internal server or a public server that supports the FTP or SCP protocol.

      A sample custom Windows 10x64 VM for Azure template is in https://fsavm.fortinet.net/images/AZure/Azure_WIN10X64O2016.vhd.

  16. If the VM image is for FortiSandbox on AWS, set up FortiSandbox engine for AWS and install the customized VM image on AWS.
    1. Optional: download and install the PV driver from AWS. See Upgrading PV Drivers on Your Windows Instances.
    2. Share the VHD file so that it is accessible from SSH or FTP from a public server, or an internal server that is accessible from the FortiSandbox firmware.
    3. Copy the FortiSandbox Tools folder to the custom VM.
    4. Create a FSALauncher folder on C drive.
    5. In the VM image, use a web browser to download the latest FSALauncher.exe file into the FSALauncher folder:
    6. Add the FSALauncher.exe or FSALauncher_x64.exe as an auto-startup program using the Startup folder or Task Scheduler.
      • Go to Start > Run, enter shell:startup to open the Startup folder and paste the FSALauncher program into it.
    7. Create an empty tracer folder on C drive and give full access to Administrator.
    8. Download the tracer package from https://fsavm.fortinet.net/vmtools/sandbox_engine_03001.00171.2-r530171.tracer.pkg.
    9. In FortiSandbox, go to System > FortiGuard, click Choose File beside Upload Package File and upload the tracer package file.
    10. Upload the VM image's vhd file onto a server that the FortiSandbox firmware can access, such as an internal server or a public server that supports the FTP or SCP protocol.

      A sample custom Windows 10x64 VM template for AWS is in https://fsavm.fortinet.net/images/AWS/AWS_WIN10X64O2016.7z.

    11. Install the custom VM with the following CLI command:

      vm-customized -cn –t<ftp | scp> –s<server_ip> –u<username> -p<password> -f</vhd_file_path/vhd_file_name> -vo<Windows_type> –vn<custom_vm_name> -d<Machine uuid> -k<MD5_of_vhd_file_in_lowercase>

      vhd_file_name and custom_vm_name must be the same.

6. Setup FortiSandbox Tracer Engine Launcher

  1. Use a text editor to enter the following script:

    @echo off

    :checker

    if not exist d:\launcher.bat

    (

    echo Wait for d:\launcher.bat

    rem sleep 5

    ping -n 5 127.0.0.1 >nul

    goto checker

    )

    start /min d:\launcher.bat

  2. Save the file as autorun.bat on your Desktop.
  3. Find the autorun.bat file on your Desktop, and Right-click > Cut.
  4. On Windows 7 or Windows Server 2003 or 2008, go to Start > All Programs > Startup > Right-click > Open All Users. Windows Explorer will open. Paste the autorun.bat file.

    On Windows 8 and Windows 10, go to Start > Run..., enter shell:startup to open the startup folder. paste the autorun.bat file.

    The D:\ directory for the autorun.bat file is created after the VM image is uploaded.

7. Install the custom VM image on FortiSandbox

To install a customized VM image to AWS or Azure FortiSandbox, see the FortiSandbox VM on AWS or FortiSandbox VM on Azure Guide.

  1. Put the VM image’s .vdi or .vhd file and its meta file from Step 4 onto a server that supports FTP or SCP protocol.
  2. In the FortiSandbox CLI interface:
    1. Run vm-customized as follows:

      vm-customized -cn –t<ftp|scp> –s<server_ip> –u<username> -p<password> -f</vdi_or_vhd_file_path/vdi_or vhd_file_name> -vo<Windows_type> –vn<custom_vm_name> -d<Machine uuid> -k<MD5_of_vdi_or_vhd_file_in_lowercase>

      Ensure the vdi_or vhd_file_name is the same as the custom_vm_name.

      Machine uuid is in the <Machine> section of .vbox file of the image build directory, such as C:\Users\user_name\VirtualBox VMs\vm_name\.

      On Ubuntu, use the command VboxManage list vms.

    2. If a customized VM image of the same name exists on the unit, the installation will fail. Go to the VM Image page and set its clone number to 0. Click Apply to disable existing images. Use –r to replace the existing one with new one. The Scan Profile settings for the image will be inherited.
    3. The installation process can take up to one hour, depending on unit model and network speed. If installation fails or stops unexpectedly, execute the command again.
    4. It is optional to upload the meta file. The information in the meta file will be displayed in the Installed Applications area in Scan Profile page of the FortiSandbox. To install it, execute CLI command vm-customized as follows:

      vm-customized -cf –t<ftp|scp> –s<server_ip> –u<username> -f</meta_file_path/meta_file_name> –vn<custom_vm_name>

      The custom_vm_name should be the same as step a.

    5. The unit will reboot after installation.
  3. After unit reboots, enable it by setting its clone number to be higher than 0 in the VM Image page and associate file types in the Scan Profile page to scan files.

    For example, the above is a Windows 7 customized image. It has an image file editor called FastStone Image Viewer and it is associated to open JPG files. The user can create a User defined extension for JPG files and associate it to this customized image. Subsequently, all JPG files will be scanned by this customized image and opened by the FastStone Image Viewer.

Appendix E - Create a custom VM image using your own ISO

There are different ways to create and configure custom virtual machines on HA clusters. For AWS and Azure cloud implementations, see the FortiSandbox VM on AWS and FortiSandbox VM on Azure Guides.

For FSA-1000D, FSA-3000D, FSA-3500D, and VM, the maximum number of clones for all VM types for the whole system is limited to the Windows license shipped with the unit.

For FSA-2000E and FSA-3000E, the maximum number of clones for default VMs and optional VMs is limited to the Windows license and the number of stacked licenses provided by Fortinet.

For custom VMs, the maximum number of clones is 20 on FSA-2000E and 48 on FSA-3000E.

Activate all custom VMs before uploading to the unit. Purchase licenses from Microsoft distributors to do activation.

We recommend that custom VM image size to be smaller than 10GB.

The guest VM images published by Fortinet might not reflect the user’s working environment. For example, the current Windows 8 and Windows 10 images do not have Microsoft Office software installed. You can create your own guest image, install software running in your environment, and upload the image to the unit to scan files. You can create the guest image on top of your Golden Image or Master Image to best simulate your OS installations. This document provides instructions on how to create and configure them.

You can use the VMs provided by Fortinet or create your own. If you want to create a custom image using pre-configured VMs, see Appendix D - Create a custom VM image using pre-configured VMs.

Use the following steps to create a custom VM image using your own ISO:

1. Download and install Oracle VM VirtualBox

2. Prepare the operating system installation package

3. Create a custom image in VirtualBox

4. Install software and components on the custom VM image

5. Modify the VM image environment

6. Setup FortiSandbox Tracer Engine Launcher

7. Install the custom VM image on FortiSandbox

1. Download and install Oracle VM VirtualBox

Download VirtualBox from https://download.virtualbox.org/virtualbox/5.2.34/VirtualBox-5.2.34-133893-Win.exe. The checksum is in https://fsavm.fortinet.net/vmtools/md5.txt.

For help with VirtualBox installation and troubleshooting, see the VirtualBox User Manual.

VirtualBox is an open source software licensed under GNU General Public License V2 license. For license information, see https://www.virtualbox.org/wiki/Licensing_FAQ.

Mac OS is not supported.

2. Prepare the operating system installation package

In FortiSandbox 3.2.0, the following operating systems can be used to build a custom VM image.

  • Microsoft Windows Server 2003 32 bit
  • Microsoft Windows 7 32/64 bit
  • Microsoft Windows 8.1 32/64 bit
  • Microsoft Windows 10 32/64 bit
  • Microsoft Windows Server 2008 32/64 bit
  • Microsoft Windows Server 2012 64 bit
  • Microsoft Windows Server 2016 64 bit
  • Microsoft Windows Server 2019 64 bit

The installation package of above operating systems should be packaged as an ISO file. The ISO file should be copied to the host installed with VirtualBox.

The Windows Operating System is available from Microsoft and Microsoft Channel Partners. Fortinet does not provide their installation package, their support or their license rights.

To support 64-bit operating systems, hardware virtualization must be enabled on motherboard BIOS on the host installed with VirtualBox.

3. Create a custom image in VirtualBox

  1. Launch VirtualBox and click New.

    Name

    Name of the new image. The name cannot be more than 15 characters.

    The following VM image names are reserved by Fortinet. Do not uses these names for custom images.

    • WINXPVM
    • WINXPVM1
    • WIN7X86VM
    • WIN7X64VM
    • WIN7X64SP1
    • WIN7X86SP1O16
    • WIN7X86VMO16
    • WIN8X64VMO16
    • WIN81X86VM
    • WIN81X64VM
    • WIN81X64VMO16
    • WIN10X86VM
    • WIN10X64VM
    • WIN10X64VMO16

    Type

    Select Microsoft Windows.

    Version

    Select the Windows version.

  2. Click Next.
  3. In the Memory Size page, allocate the base memory size.

    Windows Server 2003 32 bit

    512MB

    Windows 7, 8, 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2016

    1024MB

  4. Click Next.
  5. In the Hard Drive page, select Create a virtual hard drive now and click Create.
  6. In the Hard drive file type page:
    • If you are using Windows, select VirtualBox Disk Image (.vdi) format and click Next.
    • If you are using AWS or Azure, select Virtual Hard Disk (.vhd) format and click Next.
  7. In the Storage on physical hard drive page:
    • If you are using Windows or AWS, select Dynamic size and click Next.
    • If you are using Azure, select Fixed size and click Next.
  8. In the File location and size page, set the path of the virtual disk file (optional) and allocation 20GB virtual disk size for the VM; then click Create.

    The VM is created and appears in the left pane.

  9. Click Settings or right-click the VM image name to configure the VM image settings.
    1. Go to General > Advanced and apply the following settings.
      Caution

      Ensure the Snapshot Folder has no spaces in the file path because when you upload the .vdi file to FortiSandbox, the CLI does not accept spaces in the file path.

    2. Go to System > Motherboard and apply the following settings.
      For Windows Server 2003 32 bit:

      For Windows 7, Server 2008, 8, 10, Server 2012, Server 2016, Server 2019:

      Processor Tab

       

      Processor(s)

      1

       

      Execution Cap

      100

       

      Enable PAE/NX

      Enable

      Acceleration Tab

       

      Enable VT-x/AMD-V

      Enable

       

      Enable Nested Paging

      Enable

    3. For Display, keep the default settings.
    4. Go to Storage, and apply the following settings:
      If the operating system is Windows Server 2003 32 bit:
      1. Click Controller: IDE, set Type to PIIX 4 and enable Use host I/O cache.
      2. Click the Empty Optical Drive node and ensure the CD/DVD Drive is set as the IDE Secondary Master.
      3. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
      If the operating system is Windows 10 or Windows Server 2019:
      1. Click Controller: SATA node, then right-click and select Remove Controller to remove it.
      2. Right-click the Storage Tree panel and select Add IDE Controller.
      3. Click the Add Hard Disk icon.

      4. Click Choose existing disk and select the virtual disk file (*.vdi) that was created in the previous steps. Ensure the *.vdi is set as the IDE Primary Master.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click the Add Optical Drive icon and then click the Leave empty button. Ensure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
      If the operating system is Windows 7, 8, Server 2008, Server 2012, Server 2016:
      1. Click Controller: SATA node, then right-click and select Remove Controller to remove it.
      2. Right-click the Storage Tree panel and select Add IDE Controller.
      3. Click the Add Hard Disk icon.

      4. Click Choose Existing Disk and select the virtual disk file (*.vdi) that was created in the previous steps.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click the Empty Optical Drive node and ensure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
      If the operating system is Windows 10 for AWS or Azure:
      1. Click Controller: SATA node, then right-click and select Remove Controller to remove it.
      2. Right-click the Storage Tree panel, and select Add IDE Controller.
      3. Click the Add Hard Disk icon.

      4. Click Choose Existing Disk and select the virtual hard disk file (*.vhd) that was created in the previous steps. Ensure the *.vhd is set as the IDE Primary Master.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click the Add Optical Drive icon and then click the Leave empty button. Ensure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon and select Choose a virtual CD/DVD disk file; then select the ISO file containing the operating system installation package.
    5. Go to Audio, and uncheck the Enable Audio checkbox.
    6. Go to Network, and apply the following settings:
      If the operating system is Windows Server 2003 32 bit:

      Adapter 1 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Enable

      Adapter 2 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Enable

      If the Operating System is Windows 7, 8, 10, Windows Server 2008, Windows Server 2012, or Windows Server 2016:

      Adapter 1 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Enable

      Adapter 2 Tab

       

      Network Adapter

      Enable

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Enable

    7. In Serial Ports, keep the default settings.
    8. In USB, disable Enable USB Controller.
    9. In Shared Folders, ensure no shared folders exist.
  10. Click OK.
  11. In the VirtualBox Manager page, click the Start icon to turn on the image. The operating system starts installing. Follow the on-screen instructions to complete the installation.

4. Install software and components on the custom VM image

After installing a custom VM image, install applications and components for your environment such as the following:

  • .Net Framework
  • Microsoft Office Suite
  • Adobe Acrobat Reader
Use one of the following ways to install software and components on the custom VM image:
  • Put installers in a computer on a management network where the VM image can download them using HTTP, FTP, or network share. Configure the VM image network settings to access the host computer.
  • Package the installation package as an ISO file in VirtualBox Manager, select the VM image and go to the Settings page.

    Then go to Storage > Empty optical drive node > disk icon > Choose a virtual CD/DVD disk file, select the ISO file. Then inside the VM image, go to drive D to install the software.

After installing software or a component, verify that the installation is successful in Control Panel > Add or Remove Programs or Control Panel > Programs and Features.

Disable automatic update of software.

Use a text editor and create a meta file, enter in the installed applications for this VM image. The meta file will be used later and its content is displayed in the Scan Profile > Installed Applications of FortiSandbox.

Certain software needs to be configured to associate with the file types as the default application. For example, Adobe Reader needs to be launched after installation to be the default PDF application.

All applications that are used during a job scan should be launched after installation to finish their initialization. This is especially important for software like web browsers such as Internet Explorer, Adobe Reader and Microsoft Office software.

For Windows 10 or Windows Server 2019, the default web browser is Windows Edge which FortiSandbox does not currently support. We recommend changing the default web browser to Internet Explorer. To do that:

  1. Go to Start > Settings > System > Apps > Default apps.
  2. Click Web Browser and select Internet Explorer.

Activate Windows OS and other installed software.

Fortinet is not responsible for software support and licensing.

5. Modify the VM image environment

If the operating system is Windows Server 2003 32 bit:
  1. Go to Control Panel >Security Center and disable Windows Automatic Updates.
  2. Disable all antivirus software.
  3. Go to Start > right-click My computer > click Properties.

    In Hardware tab, click Driver Signing button and select Ignore – Install the software anyway and don’t ask for my approval.

    In Advanced tab, click the Error Reporting button and check Disable the Error Reporting function. Also, uncheck But notify me when critical errors occur.

    In System Restore tab, make sure the System Restore function is off.

  4. Make sure the built-in Administrator account is enabled. Open a command prompt and execute net user Administrator /active:yes.
  5. Setup Administrator auto-login:
    1. Open a command prompt and enter control userpasswords2. This will open the User Accounts page.
    2. Uncheck Users must enter a user name and password to use this computer to ensure the Administrator has automatic login privileges
    3. Click Apply.
    4. Use Administrator as the login account, password is optional.
    5. Go to the User Accounts > Advanced tab.
    6. Under Advanced User Manager > click the Advanced button to open the lusrmgr page.
    7. Click the Users folder to select the Administrator and edit its properties.
    8. Make sure its password never expires.
    9. Note

      For steps 4 and 5, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  6. Open a command prompt and enter powercfg /h off to disable host hibernation if it is supported.
  7. Go to Control Panel > Display Properties, navigate to Screen Saver tab and select None from the Screen Saver dropdown menu.
  8. Go to Control Panel > Network Connection, and rename the following:

    Local Area Connection 1

    renamed to:

    eth0

    Local Area Connection 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page:

    1. Click Start > Run, type cmd.exe, and then press ENTER.
    2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
    3. Type Start DEVMGMT.MSC, and then press ENTER.
    4. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.
  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder.

    To maximize catch rate, it is recommended the Windows Firewall is disabled. To do that, go to Control Panel > Security Center > Windows Firewall and turn it off.

If the operating system is Windows 7 or Server 2008:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change. From the dropdown menu, select Never check for updates.
  2. Disable Windows Defender or any installed antivirus software. Go to Start menu and type Windows Defender to locate and launch it. Click Tools > Options > Administrator, uncheck Use this program check box, click Save.
  3. Go to Control Panel > System and Security > Action Center > Change Action Center settings, uncheck every item. Click Problem Reporting settings, check Never check for solution.
  4. Run a command prompt as the Administrator and enter powercfg /h off to disable host hibernation.
  5. Go to Control Panel > Appearance and Personalization > Change screen saver, select (None) from the Screen Saver dropdown list.
  6. Make sure Administrator account is enabled. Go to the Start menu, search command prompt. Right-click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Setup auto-login for the Administrator account.
    1. Open a command prompt and type in control userpasswords2. This will open the User Accounts page.
    2. Make sure the Administrator account has the automatically login privilege by un-checking option Users must enter a user name and password to use this computer.
    3. Click Apply.
    4. Use Administrator as the login account, and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Under the User Accounts > Advanced tab > Advanced User Management > click the Advanced button button to open the lusrmgr page.
    7. Click on the Users Folder to select Administrator and edit its properties.
    8. Make sure its password never expires.
      Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder to save disk space.
  10. If the Windows Firewall is on, go to Control Panel > System and Security > Windows Firewall > Advanced Settings. If the Windows Firewall is off, the following steps are not necessary:
    1. Click on Inbound Rules > Add New Rule > click Program.
    2. Check This Program Path and type: c:\Windows\System32\ftp.exe. Then, click Next.
    3. Check Allow the Connection, then click Next.
    4. Provide a name for the rule such as Allow FTP.
    5. Click Finish.

      Follow these steps to create Outbound Rules for the same executable.

      To maximize the catch rate, it is recommended to configure the following settings:

      1. Turn off Windows Firewall

        Go to Control Panel > System and Security > Windows Firewall > Customize Settings page and turn it off for both private and public networks.

      2. Turn off UAC (User Account Control Settings)

        Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

      3. Use public profile for all unidentified networks

        Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right-click Unidentified Networks > Properties, change Location Type to Public, click OK.

      4. Turn off system protection for hard drive

        Go to the Start menu, right-click Computer > Properties > System protection > System Protection tab > Protection Settings > Local Disk (C:) > Configure, check Turn off system protection, click OK.

  11. If the Windows Firewall is off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored

If the operating system is Windows 8, Server 2012, or Server 2016:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change Settings. Change the dropdown menu to Never Check for Updates.
  2. If the operating system is Windows 8, disable Windows Defender or any installed antivirus software. Go to the Start menu and type Windows Defender to locate and launch the program. Go to Settings > Real Time Protection and uncheck the Turn on Real-Time Protection.
  3. In the Control Panel > System Security > Action Center page, expand the Maintenance section. Click on the settings under the Check for solutions to problem reports, select Never check for solution to disable the Action Center notifications. In the Action Center > Change Action Center Settings page, uncheck every item and click OK.
  4. Command prompt as Administrator and enter powercfg /h off to disable the host hibernation.
  5. Right-click on the Desktop and select Personalize. Navigate to the Screen Saver settings. Change the Screen Saver dropdown list to None to disable the Screen Saver.
  6. Make sure the Administrator account is enabled. Go to the Start Menu and search for the Command Prompt. Right-click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Set up auto-login for the Administrator account.
    1. Open a command prompt and enter control userpasswords2 to open User Accounts.
    2. Make sure the Administrator has automatically login privilege enabled by unchecking the Users must enter a user name and password to use this computer option.
    3. Click Apply.
    4. User the Administrator as the login account and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Go to Advanced User Management > click the Advanced button to open the lusrmgr page.
    7. Click on the Users folder, and select Administrator to edit its properties
    8. Make sure its password never expires.
    9. Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network Sharing > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to Start menu > enter Run...> enter %TEMP% and press enter. The %TEMP% folder will appear. Delete everything in the folder.
  10. Go to Control Panel > Appearance and Personalization > Taskbar and Navigation.
  11. In the Navigation tab, check When I sign in or close all apps on a screen, go to the desktop instead of start in the Start screen area checkbox. click OK to save the change.

    To maximize the catch rate, it is recommended to configure the following settings:

    1. Turn off Windows Firewall

      Go to Control Panel > Windows Firewall. Select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. If the operating system is Windows 8, use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right-click Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. If the operating system is Windows 8, turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. Navigate to System Protection tab, select Configure..., and select Disable system protection.

  12. If the Windows Firewall is turned off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand (remove this line for Server 2012 and Server 2016 OS)

    net start wscsvc (remove this line for Server 2012 and Server 2016 OS)

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored.

If the operating system is Windows 10 or Windows Server 2019:
  1. Disable Windows Defender and other antivirus software. Go to Windows Defender Settings and uncheck Turn on Real-Time Protection.
  2. Run the command gpedit.msc and click OK to open the Local Group Policy Editor.
  3. In the left pane, go to Computer Configuration > Administrative Templates > Windows Components > Windows Defender.
  4. In the right pane, double-click Turn off Windows Defender policy to edit it. Click OK to save the change.
  5. Go to Start > Settings > System > Notifications & Actions and turn off all notifications.
  6. Open a command prompt as the Administrator and enter powercfg /h off to disable hibernation.
  7. Right-click on the Desktop and select Personalize. Go to the Screen Saver setting and change the Screen Saver dropdown list to None to disable the Screen Saver.
  8. Ensure the Administrator account is enabled. Run the command net user Administrator /active:yes.
  9. Setup auto-login for the Administrator account.
    1. Run the command control userpasswords2 to open User Accounts.
    2. Ensure the Administrator account can automatically log in by unchecking Users must enter a user name and password to use this computer.
    3. Click Apply.
    4. Use Administrator as the login account; the password is optional.
    5. Go to Users Accounts > Advanced.
    6. In Advanced user management click Advanced to open the lusrmgr page.
    7. Go to Users > Administrator and edit its properties.
    8. Ensure its password never expires.
    9. Turn on automatic logon in the registry. In the registry editor, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and set both DefaultUserName and LastUsedUsername to Administrator.
    10. Note

      Ensure the name of the Administrator account is in the local language. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  10. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings and rename the following:
    • Rename Ethernet 1 to eth0
    • Rename Ethernet 2 to eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You might need to swap eth0 and eth1 names to make the custom image to work on FortiSandbox.

    If the system doesn't allow renaming to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they don't appear in the Network Connections page, do the following:

    1. Run the command set devmgr_show_nonpresent_devices=1.
    2. Run the command Start DEVMGMT.MSC.
    3. Click View > Show Hidden Devices.
    4. Expand Network Adapters, right-click the grayed out network adapters, and select Uninstall.
  11. Run the command %TEMP% to open the %TEMP% folder. Delete everything in this folder.

    To maximize the catch rate, we recommend configuring the following settings:

    1. Turn off Windows Firewall

      In Control Panel > System and Security > Windows Firewall, select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in the Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. Use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right-click Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. Turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. In the System Protection tab, select Configure..., and select Disable system protection.

  12. If Windows Firewall is turned off, execute the following commands:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    Ignore the warning message about netsh firewall.

    When you run sc config mpssvc start= demand, you might get the error [SC] OpenService FAILED 5: Access is denied.

    To correct this error:
    1. Open the registry editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc\Security.
    2. Rename Security to Security.old.
    3. Close the registry editor and restart Windows.
    4. Open a CLI window as the administrator and enter the following command:
      sc.exe sdset mpssvc D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
    5. Run the sc config mpssvc start= demand command again.

    When you run sc config wscsvc start= demand, you might get the error [SC] OpenService FAILED 5: Access is denied..

    To correct this error:
    1. Open the registry editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc.
    2. Change the value of Start to 3.
    3. Close the registry editor and restart Windows.
  13. Enable Allow remote connections to this computer for the Administrator account.

    If there is no password for the Administrator account, you must allow remote desktop login without password. Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Local Policies > Security Options and set Accounts: Limit local account use of blank passwords to console logon only to Disable.

  14. Configure enhanced security options for Internet Explorer:
    1. In the top right of Internet Explorer, go to Tools > Internet Options > General > Home page and click Use new tab.
    2. Go to Tools > Internet Options > Security and set the Security level for all zones to the lowest and disable Enable Protected Mode.
    3. Go to Tools > Internet Options > Privacy and disable Turn on Pop-up Blocker.
  15. If the VM image is for FortiSandbox on Azure, set up FortiSandbox engine for Azure and install the customized VM image on Azure.
    1. Create a FSALauncher folder on C drive.
    2. In the VM image, use a web browser to download the latest FSALauncher.exe file into the FSALauncher folder:
    3. Add the FSALauncher.exe or FSALauncher_x64.exe for 64bit as an auto-startup program using the Startup folder or Task Scheduler.
      • Go to Start > Run, enter shell:startup to open the Startup folder and paste the FSALauncher program into it.
    4. Create an empty tracer folder on C drive and give full access to Administrator.
    5. Upload the VM image's vhd file onto a server that the FortiSandbox firmware can access, such as an internal server or a public server that supports the FTP or SCP protocol.

      A sample custom Windows 10x64 VM for Azure template is in https://fsavm.fortinet.net/images/AZure/Azure_WIN10X64O2016.vhd.

  16. If the VM image is for FortiSandbox on AWS, set up FortiSandbox engine for AWS and install the customized VM image on AWS.
    1. Optional: download and install the PV driver from AWS. See Upgrading PV Drivers on Your Windows Instances.
    2. Share the VHD file so that it is accessible from SSH or FTP from a public server, or an internal server that is accessible from the FortiSandbox firmware.
    3. Copy the FortiSandbox Tools folder to the custom VM.
    4. Create a FSALauncher folder on C drive.
    5. In the VM image, use a web browser to download the latest FSALauncher.exe file into the FSALauncher folder:
    6. Add the FSALauncher.exe or FSALauncher_x64.exe as an auto-startup program using the Startup folder or Task Scheduler.
      • Go to Start > Run, enter shell:startup to open the Startup folder and paste the FSALauncher program into it.
    7. Create an empty tracer folder on C drive and give full access to Administrator.
    8. Download the tracer package from https://fsavm.fortinet.net/vmtools/sandbox_engine_03001.00171.2-r530171.tracer.pkg.
    9. In FortiSandbox, go to System > FortiGuard, click Choose File beside Upload Package File and upload the tracer package file.
    10. Upload the VM image's vhd file onto a server that the FortiSandbox firmware can access, such as an internal server or a public server that supports the FTP or SCP protocol.

      A sample custom Windows 10x64 VM template for AWS is in https://fsavm.fortinet.net/images/AWS/AWS_WIN10X64O2016.7z.

    11. Install the custom VM with the following CLI command:

      vm-customized -cn –t<ftp | scp> –s<server_ip> –u<username> -p<password> -f</vhd_file_path/vhd_file_name> -vo<Windows_type> –vn<custom_vm_name> -d<Machine uuid> -k<MD5_of_vhd_file_in_lowercase>

      vhd_file_name and custom_vm_name must be the same.

6. Setup FortiSandbox Tracer Engine Launcher

  1. Use a text editor to enter the following script:

    @echo off

    :checker

    if not exist d:\launcher.bat

    (

    echo Wait for d:\launcher.bat

    rem sleep 5

    ping -n 5 127.0.0.1 >nul

    goto checker

    )

    start /min d:\launcher.bat

  2. Save the file as autorun.bat on your Desktop.
  3. Find the autorun.bat file on your Desktop, and Right-click > Cut.
  4. On Windows 7 or Windows Server 2003 or 2008, go to Start > All Programs > Startup > Right-click > Open All Users. Windows Explorer will open. Paste the autorun.bat file.

    On Windows 8 and Windows 10, go to Start > Run..., enter shell:startup to open the startup folder. paste the autorun.bat file.

    The D:\ directory for the autorun.bat file is created after the VM image is uploaded.

7. Install the custom VM image on FortiSandbox

To install a customized VM image to AWS or Azure FortiSandbox, see the FortiSandbox VM on AWS or FortiSandbox VM on Azure Guide.

  1. Put the VM image’s .vdi or .vhd file and its meta file from Step 4 onto a server that supports FTP or SCP protocol.
  2. In the FortiSandbox CLI interface:
    1. Run vm-customized as follows:

      vm-customized -cn –t<ftp|scp> –s<server_ip> –u<username> -p<password> -f</vdi_or_vhd_file_path/vdi_or vhd_file_name> -vo<Windows_type> –vn<custom_vm_name> -d<Machine uuid> -k<MD5_of_vdi_or_vhd_file_in_lowercase>

      Ensure the vdi_or vhd_file_name is the same as the custom_vm_name.

      Machine uuid is in the <Machine> section of .vbox file of the image build directory, such as C:\Users\user_name\VirtualBox VMs\vm_name\.

      On Ubuntu, use the command VboxManage list vms.

    2. If a customized VM image of the same name exists on the unit, the installation will fail. Go to the VM Image page and set its clone number to 0. Click Apply to disable existing images. Use –r to replace the existing one with new one. The Scan Profile settings for the image will be inherited.
    3. The installation process can take up to one hour, depending on unit model and network speed. If installation fails or stops unexpectedly, execute the command again.
    4. It is optional to upload the meta file. The information in the meta file will be displayed in the Installed Applications area in Scan Profile page of the FortiSandbox. To install it, execute CLI command vm-customized as follows:

      vm-customized -cf –t<ftp|scp> –s<server_ip> –u<username> -f</meta_file_path/meta_file_name> –vn<custom_vm_name>

      The custom_vm_name should be the same as step a.

    5. The unit will reboot after installation.
  3. After unit reboots, enable it by setting its clone number to be higher than 0 in the VM Image page and associate file types in the Scan Profile page to scan files.

    For example, the above is a Windows 7 customized image. It has an image file editor called FastStone Image Viewer and it is associated to open JPG files. The user can create a User defined extension for JPG files and associate it to this customized image. Subsequently, all JPG files will be scanned by this customized image and opened by the FastStone Image Viewer.