Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Appendix E - Create a Customized Virtual Machine Image Using Your Own ISO

There are different ways to create and configure custom virtual machines on HA clusters. For AWS and Azure cloud implementations, see the FortiSandbox VM on AWS and FortiSandbox VM on Azure Guides.

In FSA-1000D, FSA-3000D, FSA-3500D, and VM, the maximum number of clones for all VM types for the whole system is limited by the Windows license shipped with the unit.

For FSA-2000E and FSA-3000E, the maximum number of clones for default VMs and optional VMs is limited by the Windows license and the number of stacked licenses provided by Fortinet.

For customized VMs, the maximum number of clones is 20 on FSA-2000E and 48 on FSA- 3000E.

Activate all customized VMs before uploading to the unit. Purchase licenses from Microsoft distributors to do activation.

We recommend the customized VM image size to be less than 10GB.

The guest VM images published by Fortinet might not reflect the user’s working environment. For example, on current Windows 8 and Windows 10 images, no Microsoft Office software is installed. FortiSandbox allows users to create their own guest image, install software running in their environment, and upload the image to the unit to scan files. Specifically, users can create the guest image on top of their Golden Image or Master Image to best simulate their OS installations. This document provides step-by-step instructions on how to create and configure them.

You can use the VMs provided by Fortinet or create your own. If you want to create a customized image using pre-configured VMs, see Appendix D - Create a Customized Virtual Machine Image Using Pre-Configured VMs.

There are seven steps to create a customized VM image using your own ISO:

1. Download and Install Oracle VM Virtual Box 5.1

2. Prepare the Operating System Installation Package

3. Create a Customized Image in Virtual Box

4. Install Software and Components on the Customized VM Image

5. Modify the VM Image Environment

6. Setup FortiSandbox Tracer Engine Launcher

7. Install the Customized VM Image to FortiSandbox and Apply It

1. Download and Install Oracle VM Virtual Box 5.1

You can download VirtualBox 5.1 from https://fsavm.fortinet.net/vmtools/VirtualBox-5.1.34-121010-Win.exe. The checksums are at https://fsavm.fortinet.net/vmtools/md5.txt

For help with VirtualBox installation and troubleshooting, see the VirtualBox User Manual.

VirtualBox is an open source software licensed under GNU General Public License V2 license. For license information, see https://www.virtualbox.org/wiki/Licensing_FAQ.

Mac OS is not supported.

2. Prepare the Operating System Installation Package

In FortiSandbox 3.1.0, the following operating systems can be used to build a customized VM image.

  • Microsoft Windows XP 32 bit
  • Microsoft Windows Server 2003 32 bit
  • Microsoft Windows 7 32/64 bit
  • Microsoft Windows 8.1 32/64 bit
  • Microsoft Windows 10 32/64 bit
  • Microsoft Windows Server 2008 32/64 bit
  • Microsoft Windows Server 2012 64 bit
  • Microsoft Windows Server 2016 64 bit

The installation package of above operating systems should be packaged as an ISO file. The ISO file should be copied to the host installed with VirtualBox.

The Windows Operating System is available from Microsoft and Microsoft Channel Partners. Fortinet does not provide their installation package, their support or their license rights.

To support 64-bit operating systems, hardware virtualization must be enabled on motherboard BIOS on the host installed with VirtualBox.

3. Create a Customized Image in Virtual Box

  1. Launch Virtual Box and click New.

  2. Enter a meaningful name for the new image. The name cannot be more than 15 characters.

    In the Type field > Microsoft Windows > select the OS version.

    The following VM image names are reserved by Fortinet and should not be used by customized images.

    • WINXPVM
    • WINXPVM1
    • WIN7X86VM
    • WIN7X64VM
    • WIN7X64SP1
    • WIN7X86SP1O16
    • WIN7X86VMO16
    • WIN8X64VMO16
    • WIN81X86VM
    • WIN81X64VM
    • WIN81X64VMO16
    • WIN10X86VM
    • WIN10X64VM
    • WIN10X64VMO16
  3. Click Next.
  4. In the Memory Size page, allocate the base memory size.

    Windows XP, Windows Server 2003 32 bit

    512MB

    Windows 7, 8, 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2016

    1024MB

  5. Click Next.
  6. In the Hard Drive page, select Create a virtual hard drive now and click Create.
  7. In the Hard drive file type page, select VirtualBox Disk Image (.vdi) format. Click Next.
  8. In the Storage on physical hard drive page, select Dynamically allocated. Click Next.
  9. In the File location and size page, set the path of the virtual disk file (optionally) and allocation 20GB virtual disk size for the VM. Click Create. The VM will be created and will appear in the left pane.
  10. Click the Settings button or right click on the VM image name to configure the VM image settings defined below:
    1. Go to General > Advanced, and apply the following settings:

    2. Go to System > Motherboard, and apply the following settings:
      For Windows XP and Windows Server 2003 32 bit:

      For Windows 7, Server 2008, 8, 10, Server 2012, Server 2016:

      Processor Tab

       

       

       

      Processor(s)

      1

       

      Execution Cap

      100

       

      Enable PAE/NX

      Check the box

      Acceleration Tab

       

       

       

      Enable VT-x/AMD-C

      Check the box

       

      Enable Nested Paging

      Check the box

    3. Go to Display, keep the default settings.
    4. Go to Storage, and apply the following settings:
      If the operating system is Windows XP or Windows Server 2003 32 bit:
      1. Click Controller: IDE, set Type to PIIX 4 and enable Use host I/O cache.
      2. Click on the Empty Optical Drive node, make sure the CD/DVD Drive is set as the IDE Secondary Master.
      3. Click the icon > Choose a virtual CD/DVD disk file, select the ISO file containing the operating system installation package.
      If the operating system is Windows 7, Server 2008, 8, 10, Server 2012, Server 2016:
      1. Click Controller: SATA node, right click > Remove Controller to remove it.
      2. Right click in the Storage Tree panel, and choose Add IDE Controller.
      3. Click the Add Hard Disk icon. The following prompt will appear:

      4. Click Choose Existing Disk and select the virtual disk file (*.vdi) that was created in the previous steps.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click on the Empty Optical Drive node, make sure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon > Choose a virtual CD/DVD disk file, select the ISO file containing the operating system installation package.
    5. Go to Audio, and uncheck the Enable Audio checkbox.
    6. Go to Network, and apply the following settings:
      If the operating system is Windows XP or Windows Server 2003 32 bit:

      Adapter 1 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Check the box

      Adapter 2 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Check the box

      If the Operating System is Windows 7, Server 2008, 8, 10, Server 2012, or Server 2016:

      Adapter 1 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Check the box

      Adapter 2 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Check the box

    7. Go to Serial Ports, keep the default settings.
    8. Go to USB, uncheck the Enable USB Controller checkbox.
    9. Go to Shared Folders, make sure no shared folders exist.
  11. Click OK to apply the settings.
  12. In the VirtualBox Manager page, click the Start icon to turn on the image. The operating system starts installing. Follow the on-screen instructions to complete the installation.

4. Install Software and Components on the Customized VM Image

After installing a customized VM image, you can install applications and components for your environment, including but not limited to the following list:

  • .Net Framework
  • Microsoft Office suite
  • Adobe Acrobat Reader
There are two ways to install them:
  1. Put their installers on a computer in management network that VM image can download through http, ftp protocols or network share. This requires network settings of VM image to be configured to access hosting computer.
  2. Package their installation package as an ISO file in the VirtualBox Manager, select the VM image, click Settings button or right click on the VM image name to open Settings page.

    Go to the Storage page > Empty optical drive node > disk icon > Chose a virtual CD/DVD disk file, select the ISO file. Then inside the VM image, go to drive D to install the software.

After installing software or a component, go to Control Panel > Add or Remove Programs on Windows XP or Windows Server 2003 32 bit or Control Panel > Programs and Features in Windows 7, Server 2008, 8, Server 2012, Server 2016 and 10 to verify that the installation is successful.

Automatic update of software should be disabled. For details, please refer to software’s manual. For example, to disable automatic update on Acrobat Adobe Reader, refer to https://helpx.adobe.com/acrobat/kb/automatic-updates---acrobat-reader.html

Use a text editor and create a meta file, enter in the installed applications for this VM image. The meta file will be used later and its content is displayed in the Scan Profile > Installed Applications of FortiSandbox.

Certain software needs to be configured to associate with the file types as the default application. For example, Adobe Reader needs to be launched after installation to be the default PDF application.

All applications that are used during a job scan should be launched after installation to finish their initialization. This is especially important for software like web browsers such as Internet Explorer, Adobe Reader and Microsoft Office software.

For Windows 10, the default web browser is Windows Edge which FortiSandbox does not currently support. It is recommended to change the default web browser to be Internet Explorer. To do that:

  1. Go to Start > Settings > System > Default apps.
  2. Click Web Browser in the right pane and select Internet Explorer.

Windows OS and other installed software should be activated.

Fortinet is not responsible for software’s support and their license rights.

5. Modify the VM Image Environment

If the operating system is Windows XP or Windows Server 2003 32 bit:
  1. Go to Control Panel >Security Center and disable Windows Automatic Updates.
  2. Disable any installed antivirus software.
  3. Navigate to the Start Menu > right click on My computer > click Properties.

    In Hardware tab, click Driver Signing button and select Ignore – Install the software anyway and don’t ask for my approval.

    In Advanced tab, click the Error Reporting button and check Disable the Error Reporting function. Also, uncheck But notify me when critical errors occur.

    In System Restore tab, make sure the System Restore function is off.

  4. Make sure the built-in Administrator account is enabled. Open a command prompt and execute net user Administrator /active:yes.
  5. Setup Administrator auto-login:
    1. Open a command prompt and enter control userpasswords2. This will open the User Accounts page.
    2. Uncheck Users must enter a user name and password to use this computer to ensure the Administrator has automatic login privileges
    3. Click Apply.
    4. Use Administrator as the login account, password is optional.
    5. Go to the User Accounts > Advanced tab.
    6. Under Advanced User Manager > click the Advanced button to open the lusrmgr page.
    7. Click the Users folder to select the Administrator and edit its properties.
    8. Make sure its password never expires.
    9. Note

      For steps 4 and 5, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  6. Open a command prompt and enter powercfg –h off to disable host hibernation if it is supported.
  7. Go to Control Panel > Display Properties, navigate to Screen Saver tab and select None from the Screen Saver dropdown menu.
  8. Go to Control Panel > Network Connection, and rename the following:

    Local Area Connection 1

    renamed to:

    eth0

    Local Area Connection 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page:

    1. Click Start > Run, type cmd.exe, and then press ENTER.
    2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
    3. Type Start DEVMGMT.MSC, and then press ENTER.
    4. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.
  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder.

    To maximize catch rate, it is recommended the Windows Firewall is disabled. To do that, go to Control Panel > Security Center > Windows Firewall and turn it off.

If the operating system is Windows 7 or Server 2008:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change. From the dropdown menu, select Never check for updates.
  2. Disable Windows Defender or any installed antivirus software. Go to Start menu and type Windows Defender to locate and launch it. Click Tools > Options > Administrator, uncheck Use this program check box, click Save.
  3. Go to Control Panel > System and Security > Action Center > Change Action Center settings, uncheck every item. Click Problem Reporting settings, check Never check for solution.
  4. Run a command prompt as the Administrator and enter powercfg –h off to disable host hibernation.
  5. Go to Control Panel > Appearance and Personalization > Change screen saver, select (None) from the Screen Saver dropdown list.
  6. Make sure Administrator account is enabled. Go to the Start menu, search command prompt. Right click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Setup auto-login for the Administrator account.
    1. Open a command prompt and type in control userpasswords2. This will open the User Accounts page.
    2. Make sure the Administrator account has the automatically login privilege by un-checking option Users must enter a user name and password to use this computer.
    3. Click Apply.
    4. Use Administrator as the login account, and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Under the User Accounts > Advanced tab > Advanced User Management > click the Advanced button button to open the lusrmgr page.
    7. Click on the Users Folder to select Administrator and edit its properties.
    8. Make sure its password never expires.
      Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder to save disk space.
  10. If the Windows Firewall is on, go to Control Panel > System and Security > Windows Firewall > Advanced Settings. If the Windows Firewall is off, the following steps are not necessary:
    1. Click on Inbound Rules > Add New Rule > click Program.
    2. Check This Program Path and type: c:\Windows\System32\ftp.exe. Then, click Next.
    3. Check Allow the Connection, then click Next.
    4. Provide a name for the rule such as Allow FTP.
    5. Click Finish.

      Follow these steps to create Outbound Rules for the same executable.

      To maximize the catch rate, it is recommended to configure the following settings:

      1. Turn off Windows Firewall

        Go to Control Panel > System and Security > Windows Firewall > Customize Settings page and turn it off for both private and public networks.

      2. Turn off UAC (User Account Control Settings)

        Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

      3. Use public profile for all unidentified networks

        Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right click on Unidentified Networks > Properties, change Location Type to Public, click OK.

      4. Turn off system protection for hard drive

        Go to the Start menu, right click on Computer > Properties > System protection > System Protection tab > Protection Settings > Local Disk (C:) > Configure, check Turn off system protection, click OK.

  11. If the Windows Firewall is off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored

If the operating system is Windows 8, Server 2012, or Server 2016:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change Settings. Change the dropdown menu to Never Check for Updates.
  2. If the operating system is Windows 8, disable Windows Defender or any installed antivirus software. Go to the Start menu and type Windows Defender to locate and launch the program. Go to Settings > Real Time Protection and uncheck the Turn on Real-Time Protection.
  3. In the Control Panel > System Security > Action Center page, expand the Maintenance section. Click on the settings under the Check for solutions to problem reports, select Never check for solution to disable the Action Center notifications. In the Action Center > Change Action Center Settings page, uncheck every item and click OK.
  4. Command prompt as Administrator and enter powercfg -h off to disable the host hibernation.
  5. Right click on the Desktop and select Personalize. Navigate to the Screen Saver settings. Change the Screen Saver dropdown list to None to disable the Screen Saver.
  6. Make sure the Administrator account is enabled. Go to the Start Menu and search for the Command Prompt. Right click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Set up auto-login for the Administrator account.
    1. Open a command prompt and enter control userpasswords2. The User Accounts page will open.
    2. Make sure the Administrator has automatically login privilege enabled by unchecking the Users must enter a user name and password to use this computer option.
    3. Click Apply.
    4. User the Administrator as the login account and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Go to Advanced User Management > click the Advanced button to open the lusrmgr page.
    7. Click on the Users folder, and select Administrator to edit its properties
    8. Make sure its password never expires.
    9. Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network Sharing > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to Start menu > enter Run...> enter %TEMP% and press enter. The %TEMP% folder will appear. Delete everything in the folder.
  10. Go to Control Panel > Appearance and Personalization > Taskbar and Navigation.
  11. In the Navigation tab, check When I sign in or close all apps on a screen, go to the desktop instead of start in the Start screen area checkbox. click OK to save the change.

    To maximize the catch rate, it is recommended to configure the following settings:

    1. Turn off Windows Firewall

      Go to Control Panel > Windows Firewall. Select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. If the operating system is Windows 8, use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right click on Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. If the operating system is Windows 8, turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. Navigate to System Protection tab, select Configure..., and select Disable system protection.

  12. If the Windows Firewall is turned off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand (remove this line for Server 2012 and Server 2016 OS)

    net start wscsvc (remove this line for Server 2012 and Server 2016 OS)

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored.

If the operating system is Windows 10:
  1. Disable Windows Defender or any installed antivirus software. Go to the Start > type Windows Defender to locate and launch the program. Go to Settings > Real-Time Protection and uncheck Turn on Real-Time Protection.
  2. Go to Start >execute Run... and enter gpedit.msc and click OK. The Local Group Policy Editor will open.
  3. In the left pane, go to Computer Configuration > Administrative Templates > Windows Components > Windows Defender. In the right pane, double click on the Turn off Windows Defender policy to edit it. Click OK to save the change.
  4. Go to Start > Settings > System > Notifications & Actions. Turn off all notifications.
  5. Open a command rompt as the Administrator, enter powercfg -h off to disable hibernation.
  6. Right click on the Desktop and select Personalize. Navigate to the Screen Saver setting and change the Screen Saver dropdown list to None to disable the Screen Saver.
  7. Make sure the Administrator account is enabled. Go to Start > search Command Prompt > right click on the application to launch it as the Administrator. Execute net user Administrator /active:yes.
  8. Setup auto-login for the Administrator account.
    1. Open the command prompt and type in control userpasswords2. The User Accounts page will appear.
    2. Make sure the Administrator account automatically login privilege enabled by unchecking the Users must enter a user name and password to use this computer option.
    3. Click Apply.
    4. Use Administrator as the login account; the password is optional.
    5. Go to Users Accounts > Advanced tab.
    6. Go to Advanced User Management > click the Advanced button to launch the lusrmgr page.
    7. Click on the Users folder to select the Administrator to edit its properties.
    8. Make sure its password never expires.
    9. Note

      For steps 7 and 8, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  9. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings. Rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    1. Click Start > Run, type cmd.exe, and then press ENTER.
    2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
    3. Type Start DEVMGMT.MSC, and then press ENTER.
    4. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.
  10. Go to Start > execute Run... > enter %TEMP%. The %TEMP% folder appears. Delete everything in the folder.

    To maximize the catch rate, it is recommended to configure the following settings:

    1. Turn off Windows Firewall

      Go to Control Panel > System and Security > Windows Firewall. Select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. Use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right click on Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. Turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. Navigate to System Protection tab, select Configure..., and select Disable system protection.

  11. If Windows Firewall was turned off, execute the following commands in a command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored

6. Setup FortiSandbox Tracer Engine Launcher

  1. Open an editor, such as Notepad and type in the following scripts:

    @echo off

    :checker

    if not exist d:\launcher.bat (

    echo Wait for d:\launcher.bat

    rem sleep 5

    ping -n 5 127.0.0.1 >nul

    goto checker

    )

    start /min d:\launcher.bat

  2. Save the file as autorun.bat on your Desktop.
  3. Find the autorun.bat file on your Desktop, and Right-click > Cut.
  4. On Windows XP and Windows 7 or Windows Server 2003 or 2008, go to Start > All Programs > Startup > Right-click > Open All Users. Windows Explorer will open. Paste the autorun.bat file.

    On Windows 8 and Windows 10, go to Start > Run..., enter shell:startup to open the startup folder. paste the autorun.bat file.

    The D:\ directory for the autorun.bat file is created after the VM image is uploaded.

7. Install the Customized VM Image to FortiSandbox and Apply It

  1. Put the VM image’s .vdi file and its meta file from Step 4 to a server that supports ftp or scp protocol.
  2. In the FortiSandbox CLI interface:
    1. execute CLI command vm-customized as follows:

      vm-customized -cn –t<ftp|scp> –s<server_ip> –u<username> -p<password> -f</vdi_file_path/vdi_file_name> -vo<Windows_type> –vn<custom_vm_name> -d<Machine uuid> -k<MD5_of_vdi_file_in_lowercase>

      Tip: Machine uuid can be found in <Machine> section of .vbox file of the image build directory, such as C:\Users\user_name\VirtualBox VMs\vm_name\

    2. If a customized VM image of the same name exists on the unit, the installation will fail. Go to the VM Image page and set its clone number to 0. Click Apply to disable existing images. Use –r to replace the existing one with new one. The Scan Profile settings for the image will be inherited.
    3. The installation process can take up to one hour, depending on unit model and network speed. If installation fails or stops unexpectedly, execute the command again.
    4. It is optional to upload the meta file. The information in the meta file will be displayed in the Installed Applications area in Scan Profile page of the FortiSandbox. To install it, execute CLI command vm-customized as follows:

      vm-customized -cf -mproduct.list –t<ftp|scp> –s<server_ip> –u<username> -p<password> -f</meta_file_path/meta_file_name> –vn<custom_vm_name> -mproduct.list

      The custom_vm_name should be the same as step a.

    5. The unit will reboot after installation.
  3. After unit reboots, user can enable it by setting up its clone number to be more than 0 in the VM Image page and associate file types in the Scan Profile page to scan files.

    For example, the above is a Windows 7 customized image. It has an image file editor called FastStone Image Viewer and it is associated to open JPG files. The user can create a User defined extension for JPG files and associate it to this customized image. Subsequently, all JPG files will be scanned by this customized image and opened by the FastStone Image Viewer.

Appendix E - Create a Customized Virtual Machine Image Using Your Own ISO

There are different ways to create and configure custom virtual machines on HA clusters. For AWS and Azure cloud implementations, see the FortiSandbox VM on AWS and FortiSandbox VM on Azure Guides.

In FSA-1000D, FSA-3000D, FSA-3500D, and VM, the maximum number of clones for all VM types for the whole system is limited by the Windows license shipped with the unit.

For FSA-2000E and FSA-3000E, the maximum number of clones for default VMs and optional VMs is limited by the Windows license and the number of stacked licenses provided by Fortinet.

For customized VMs, the maximum number of clones is 20 on FSA-2000E and 48 on FSA- 3000E.

Activate all customized VMs before uploading to the unit. Purchase licenses from Microsoft distributors to do activation.

We recommend the customized VM image size to be less than 10GB.

The guest VM images published by Fortinet might not reflect the user’s working environment. For example, on current Windows 8 and Windows 10 images, no Microsoft Office software is installed. FortiSandbox allows users to create their own guest image, install software running in their environment, and upload the image to the unit to scan files. Specifically, users can create the guest image on top of their Golden Image or Master Image to best simulate their OS installations. This document provides step-by-step instructions on how to create and configure them.

You can use the VMs provided by Fortinet or create your own. If you want to create a customized image using pre-configured VMs, see Appendix D - Create a Customized Virtual Machine Image Using Pre-Configured VMs.

There are seven steps to create a customized VM image using your own ISO:

1. Download and Install Oracle VM Virtual Box 5.1

2. Prepare the Operating System Installation Package

3. Create a Customized Image in Virtual Box

4. Install Software and Components on the Customized VM Image

5. Modify the VM Image Environment

6. Setup FortiSandbox Tracer Engine Launcher

7. Install the Customized VM Image to FortiSandbox and Apply It

1. Download and Install Oracle VM Virtual Box 5.1

You can download VirtualBox 5.1 from https://fsavm.fortinet.net/vmtools/VirtualBox-5.1.34-121010-Win.exe. The checksums are at https://fsavm.fortinet.net/vmtools/md5.txt

For help with VirtualBox installation and troubleshooting, see the VirtualBox User Manual.

VirtualBox is an open source software licensed under GNU General Public License V2 license. For license information, see https://www.virtualbox.org/wiki/Licensing_FAQ.

Mac OS is not supported.

2. Prepare the Operating System Installation Package

In FortiSandbox 3.1.0, the following operating systems can be used to build a customized VM image.

  • Microsoft Windows XP 32 bit
  • Microsoft Windows Server 2003 32 bit
  • Microsoft Windows 7 32/64 bit
  • Microsoft Windows 8.1 32/64 bit
  • Microsoft Windows 10 32/64 bit
  • Microsoft Windows Server 2008 32/64 bit
  • Microsoft Windows Server 2012 64 bit
  • Microsoft Windows Server 2016 64 bit

The installation package of above operating systems should be packaged as an ISO file. The ISO file should be copied to the host installed with VirtualBox.

The Windows Operating System is available from Microsoft and Microsoft Channel Partners. Fortinet does not provide their installation package, their support or their license rights.

To support 64-bit operating systems, hardware virtualization must be enabled on motherboard BIOS on the host installed with VirtualBox.

3. Create a Customized Image in Virtual Box

  1. Launch Virtual Box and click New.

  2. Enter a meaningful name for the new image. The name cannot be more than 15 characters.

    In the Type field > Microsoft Windows > select the OS version.

    The following VM image names are reserved by Fortinet and should not be used by customized images.

    • WINXPVM
    • WINXPVM1
    • WIN7X86VM
    • WIN7X64VM
    • WIN7X64SP1
    • WIN7X86SP1O16
    • WIN7X86VMO16
    • WIN8X64VMO16
    • WIN81X86VM
    • WIN81X64VM
    • WIN81X64VMO16
    • WIN10X86VM
    • WIN10X64VM
    • WIN10X64VMO16
  3. Click Next.
  4. In the Memory Size page, allocate the base memory size.

    Windows XP, Windows Server 2003 32 bit

    512MB

    Windows 7, 8, 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2016

    1024MB

  5. Click Next.
  6. In the Hard Drive page, select Create a virtual hard drive now and click Create.
  7. In the Hard drive file type page, select VirtualBox Disk Image (.vdi) format. Click Next.
  8. In the Storage on physical hard drive page, select Dynamically allocated. Click Next.
  9. In the File location and size page, set the path of the virtual disk file (optionally) and allocation 20GB virtual disk size for the VM. Click Create. The VM will be created and will appear in the left pane.
  10. Click the Settings button or right click on the VM image name to configure the VM image settings defined below:
    1. Go to General > Advanced, and apply the following settings:

    2. Go to System > Motherboard, and apply the following settings:
      For Windows XP and Windows Server 2003 32 bit:

      For Windows 7, Server 2008, 8, 10, Server 2012, Server 2016:

      Processor Tab

       

       

       

      Processor(s)

      1

       

      Execution Cap

      100

       

      Enable PAE/NX

      Check the box

      Acceleration Tab

       

       

       

      Enable VT-x/AMD-C

      Check the box

       

      Enable Nested Paging

      Check the box

    3. Go to Display, keep the default settings.
    4. Go to Storage, and apply the following settings:
      If the operating system is Windows XP or Windows Server 2003 32 bit:
      1. Click Controller: IDE, set Type to PIIX 4 and enable Use host I/O cache.
      2. Click on the Empty Optical Drive node, make sure the CD/DVD Drive is set as the IDE Secondary Master.
      3. Click the icon > Choose a virtual CD/DVD disk file, select the ISO file containing the operating system installation package.
      If the operating system is Windows 7, Server 2008, 8, 10, Server 2012, Server 2016:
      1. Click Controller: SATA node, right click > Remove Controller to remove it.
      2. Right click in the Storage Tree panel, and choose Add IDE Controller.
      3. Click the Add Hard Disk icon. The following prompt will appear:

      4. Click Choose Existing Disk and select the virtual disk file (*.vdi) that was created in the previous steps.
      5. Click Controller: IDE, set Type to PIIX4, and enable Use host I/O cache.
      6. Click on the Empty Optical Drive node, make sure the CD/DVD Drive is set as the IDE Secondary Master.
      7. Click the icon > Choose a virtual CD/DVD disk file, select the ISO file containing the operating system installation package.
    5. Go to Audio, and uncheck the Enable Audio checkbox.
    6. Go to Network, and apply the following settings:
      If the operating system is Windows XP or Windows Server 2003 32 bit:

      Adapter 1 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Check the box

      Adapter 2 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000T Server (82543GC)

       

      Cable Connected

      Check the box

      If the Operating System is Windows 7, Server 2008, 8, 10, Server 2012, or Server 2016:

      Adapter 1 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Check the box

      Adapter 2 Tab

       

       

       

      Network Adapter

      Check the box

       

      Attached to

      NAT

       

      Adapter Type

      Intel PRO/1000MT Server (82545EM)

       

      Cable Connected

      Check the box

    7. Go to Serial Ports, keep the default settings.
    8. Go to USB, uncheck the Enable USB Controller checkbox.
    9. Go to Shared Folders, make sure no shared folders exist.
  11. Click OK to apply the settings.
  12. In the VirtualBox Manager page, click the Start icon to turn on the image. The operating system starts installing. Follow the on-screen instructions to complete the installation.

4. Install Software and Components on the Customized VM Image

After installing a customized VM image, you can install applications and components for your environment, including but not limited to the following list:

  • .Net Framework
  • Microsoft Office suite
  • Adobe Acrobat Reader
There are two ways to install them:
  1. Put their installers on a computer in management network that VM image can download through http, ftp protocols or network share. This requires network settings of VM image to be configured to access hosting computer.
  2. Package their installation package as an ISO file in the VirtualBox Manager, select the VM image, click Settings button or right click on the VM image name to open Settings page.

    Go to the Storage page > Empty optical drive node > disk icon > Chose a virtual CD/DVD disk file, select the ISO file. Then inside the VM image, go to drive D to install the software.

After installing software or a component, go to Control Panel > Add or Remove Programs on Windows XP or Windows Server 2003 32 bit or Control Panel > Programs and Features in Windows 7, Server 2008, 8, Server 2012, Server 2016 and 10 to verify that the installation is successful.

Automatic update of software should be disabled. For details, please refer to software’s manual. For example, to disable automatic update on Acrobat Adobe Reader, refer to https://helpx.adobe.com/acrobat/kb/automatic-updates---acrobat-reader.html

Use a text editor and create a meta file, enter in the installed applications for this VM image. The meta file will be used later and its content is displayed in the Scan Profile > Installed Applications of FortiSandbox.

Certain software needs to be configured to associate with the file types as the default application. For example, Adobe Reader needs to be launched after installation to be the default PDF application.

All applications that are used during a job scan should be launched after installation to finish their initialization. This is especially important for software like web browsers such as Internet Explorer, Adobe Reader and Microsoft Office software.

For Windows 10, the default web browser is Windows Edge which FortiSandbox does not currently support. It is recommended to change the default web browser to be Internet Explorer. To do that:

  1. Go to Start > Settings > System > Default apps.
  2. Click Web Browser in the right pane and select Internet Explorer.

Windows OS and other installed software should be activated.

Fortinet is not responsible for software’s support and their license rights.

5. Modify the VM Image Environment

If the operating system is Windows XP or Windows Server 2003 32 bit:
  1. Go to Control Panel >Security Center and disable Windows Automatic Updates.
  2. Disable any installed antivirus software.
  3. Navigate to the Start Menu > right click on My computer > click Properties.

    In Hardware tab, click Driver Signing button and select Ignore – Install the software anyway and don’t ask for my approval.

    In Advanced tab, click the Error Reporting button and check Disable the Error Reporting function. Also, uncheck But notify me when critical errors occur.

    In System Restore tab, make sure the System Restore function is off.

  4. Make sure the built-in Administrator account is enabled. Open a command prompt and execute net user Administrator /active:yes.
  5. Setup Administrator auto-login:
    1. Open a command prompt and enter control userpasswords2. This will open the User Accounts page.
    2. Uncheck Users must enter a user name and password to use this computer to ensure the Administrator has automatic login privileges
    3. Click Apply.
    4. Use Administrator as the login account, password is optional.
    5. Go to the User Accounts > Advanced tab.
    6. Under Advanced User Manager > click the Advanced button to open the lusrmgr page.
    7. Click the Users folder to select the Administrator and edit its properties.
    8. Make sure its password never expires.
    9. Note

      For steps 4 and 5, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  6. Open a command prompt and enter powercfg –h off to disable host hibernation if it is supported.
  7. Go to Control Panel > Display Properties, navigate to Screen Saver tab and select None from the Screen Saver dropdown menu.
  8. Go to Control Panel > Network Connection, and rename the following:

    Local Area Connection 1

    renamed to:

    eth0

    Local Area Connection 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page:

    1. Click Start > Run, type cmd.exe, and then press ENTER.
    2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
    3. Type Start DEVMGMT.MSC, and then press ENTER.
    4. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.
  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder.

    To maximize catch rate, it is recommended the Windows Firewall is disabled. To do that, go to Control Panel > Security Center > Windows Firewall and turn it off.

If the operating system is Windows 7 or Server 2008:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change. From the dropdown menu, select Never check for updates.
  2. Disable Windows Defender or any installed antivirus software. Go to Start menu and type Windows Defender to locate and launch it. Click Tools > Options > Administrator, uncheck Use this program check box, click Save.
  3. Go to Control Panel > System and Security > Action Center > Change Action Center settings, uncheck every item. Click Problem Reporting settings, check Never check for solution.
  4. Run a command prompt as the Administrator and enter powercfg –h off to disable host hibernation.
  5. Go to Control Panel > Appearance and Personalization > Change screen saver, select (None) from the Screen Saver dropdown list.
  6. Make sure Administrator account is enabled. Go to the Start menu, search command prompt. Right click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Setup auto-login for the Administrator account.
    1. Open a command prompt and type in control userpasswords2. This will open the User Accounts page.
    2. Make sure the Administrator account has the automatically login privilege by un-checking option Users must enter a user name and password to use this computer.
    3. Click Apply.
    4. Use Administrator as the login account, and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Under the User Accounts > Advanced tab > Advanced User Management > click the Advanced button button to open the lusrmgr page.
    7. Click on the Users Folder to select Administrator and edit its properties.
    8. Make sure its password never expires.
      Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to the Start menu, execute Run… and enter %TEMP% . This will open the %TEMP% folder. Delete everything in the folder to save disk space.
  10. If the Windows Firewall is on, go to Control Panel > System and Security > Windows Firewall > Advanced Settings. If the Windows Firewall is off, the following steps are not necessary:
    1. Click on Inbound Rules > Add New Rule > click Program.
    2. Check This Program Path and type: c:\Windows\System32\ftp.exe. Then, click Next.
    3. Check Allow the Connection, then click Next.
    4. Provide a name for the rule such as Allow FTP.
    5. Click Finish.

      Follow these steps to create Outbound Rules for the same executable.

      To maximize the catch rate, it is recommended to configure the following settings:

      1. Turn off Windows Firewall

        Go to Control Panel > System and Security > Windows Firewall > Customize Settings page and turn it off for both private and public networks.

      2. Turn off UAC (User Account Control Settings)

        Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

      3. Use public profile for all unidentified networks

        Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right click on Unidentified Networks > Properties, change Location Type to Public, click OK.

      4. Turn off system protection for hard drive

        Go to the Start menu, right click on Computer > Properties > System protection > System Protection tab > Protection Settings > Local Disk (C:) > Configure, check Turn off system protection, click OK.

  11. If the Windows Firewall is off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored

If the operating system is Windows 8, Server 2012, or Server 2016:
  1. Turn off Windows automatic update. Go to Control Panel > System and Security > Windows Update > Change Settings. Change the dropdown menu to Never Check for Updates.
  2. If the operating system is Windows 8, disable Windows Defender or any installed antivirus software. Go to the Start menu and type Windows Defender to locate and launch the program. Go to Settings > Real Time Protection and uncheck the Turn on Real-Time Protection.
  3. In the Control Panel > System Security > Action Center page, expand the Maintenance section. Click on the settings under the Check for solutions to problem reports, select Never check for solution to disable the Action Center notifications. In the Action Center > Change Action Center Settings page, uncheck every item and click OK.
  4. Command prompt as Administrator and enter powercfg -h off to disable the host hibernation.
  5. Right click on the Desktop and select Personalize. Navigate to the Screen Saver settings. Change the Screen Saver dropdown list to None to disable the Screen Saver.
  6. Make sure the Administrator account is enabled. Go to the Start Menu and search for the Command Prompt. Right click on it and launch it as the Administrator. Execute net user Administrator /active:yes.
  7. Set up auto-login for the Administrator account.
    1. Open a command prompt and enter control userpasswords2. The User Accounts page will open.
    2. Make sure the Administrator has automatically login privilege enabled by unchecking the Users must enter a user name and password to use this computer option.
    3. Click Apply.
    4. User the Administrator as the login account and setup the password.
    5. Go to User Accounts > Advanced tab.
    6. Go to Advanced User Management > click the Advanced button to open the lusrmgr page.
    7. Click on the Users folder, and select Administrator to edit its properties
    8. Make sure its password never expires.
    9. Note

      For steps 6 and 7, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  8. Go to Control Panel > Network and Internet > Network Sharing > Change Adapter settings, rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    a. Click Start > Run, type cmd.exe, and then press ENTER.

    b. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.

    c. Type Start DEVMGMT.MSC, and then press ENTER.

    d. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.

  9. Go to Start menu > enter Run...> enter %TEMP% and press enter. The %TEMP% folder will appear. Delete everything in the folder.
  10. Go to Control Panel > Appearance and Personalization > Taskbar and Navigation.
  11. In the Navigation tab, check When I sign in or close all apps on a screen, go to the desktop instead of start in the Start screen area checkbox. click OK to save the change.

    To maximize the catch rate, it is recommended to configure the following settings:

    1. Turn off Windows Firewall

      Go to Control Panel > Windows Firewall. Select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. If the operating system is Windows 8, use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right click on Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. If the operating system is Windows 8, turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. Navigate to System Protection tab, select Configure..., and select Disable system protection.

  12. If the Windows Firewall is turned off, execute the following commands in the command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand (remove this line for Server 2012 and Server 2016 OS)

    net start wscsvc (remove this line for Server 2012 and Server 2016 OS)

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored.

If the operating system is Windows 10:
  1. Disable Windows Defender or any installed antivirus software. Go to the Start > type Windows Defender to locate and launch the program. Go to Settings > Real-Time Protection and uncheck Turn on Real-Time Protection.
  2. Go to Start >execute Run... and enter gpedit.msc and click OK. The Local Group Policy Editor will open.
  3. In the left pane, go to Computer Configuration > Administrative Templates > Windows Components > Windows Defender. In the right pane, double click on the Turn off Windows Defender policy to edit it. Click OK to save the change.
  4. Go to Start > Settings > System > Notifications & Actions. Turn off all notifications.
  5. Open a command rompt as the Administrator, enter powercfg -h off to disable hibernation.
  6. Right click on the Desktop and select Personalize. Navigate to the Screen Saver setting and change the Screen Saver dropdown list to None to disable the Screen Saver.
  7. Make sure the Administrator account is enabled. Go to Start > search Command Prompt > right click on the application to launch it as the Administrator. Execute net user Administrator /active:yes.
  8. Setup auto-login for the Administrator account.
    1. Open the command prompt and type in control userpasswords2. The User Accounts page will appear.
    2. Make sure the Administrator account automatically login privilege enabled by unchecking the Users must enter a user name and password to use this computer option.
    3. Click Apply.
    4. Use Administrator as the login account; the password is optional.
    5. Go to Users Accounts > Advanced tab.
    6. Go to Advanced User Management > click the Advanced button to launch the lusrmgr page.
    7. Click on the Users folder to select the Administrator to edit its properties.
    8. Make sure its password never expires.
    9. Note

      For steps 7 and 8, the name of the Administrator account should be the localized version. For example, if the OS language is English, the name is Administrator; if the OS language is French, the name is Administrateur. Use the table below for reference.

      Language

      Administrator Name

      Finnish Järjestelmänvalvoja
      French Administrateur
      Hungarian Rendszergazda
      Portuguese (Brazil) Administrador
      Portuguese (Portugal) Administrador
      Russian Администратор

      Spanish

      Administrador

      Swedish

      Administratör

  9. Go to Control Panel > Network and Internet > Network and Sharing Center > Change Adapter settings. Rename the following:

    Ethernet 1

    renamed to:

    eth0

    Ethernet 2

    renamed to:

    eth1

    If there are network devices already named as eth0 and eth1, change them to different names first.

    The exact names showing in Network Connection page might not be Local Area Connection 1 or Local Area Connection 2. You may might need to swap eth0 and eth1 names to make the customized image to work on FortiSandbox.

    If system doesn't allow rename to eth0 or eth1 with messages like connection eth0 or eth1 already exists, but they are not showing up in Network Connections page,

    1. Click Start > Run, type cmd.exe, and then press ENTER.
    2. Type set devmgr_show_nonpresent_devices=1, and then press ENTER.
    3. Type Start DEVMGMT.MSC, and then press ENTER.
    4. Click View > Show Hidden Devices. Expand the Network Adapters tree. Right-click the greyed out network adapters, and click Uninstall.
  10. Go to Start > execute Run... > enter %TEMP%. The %TEMP% folder appears. Delete everything in the folder.

    To maximize the catch rate, it is recommended to configure the following settings:

    1. Turn off Windows Firewall

      Go to Control Panel > System and Security > Windows Firewall. Select Turn off Windows Firewall for both public and private networks.

    2. Turn off UAC (User Account Control Settings)

      Search for UAC in Start menu, open the Change the User Account Control Setting, move the slider to Never, click OK.

    3. Use public profile for all unidentified networks

      Go to Control Panel > System and Security > Administrative Tools > Local Security Policy > Network List Manager Policies > right click on Unidentified Networks > Properties, change Location Type to Public, click OK.

    4. Turn off system protection for hard drive

      Go to Control Panel > System and Security > System, click Change Settings next to the Computer name, domain and workgroup settings section. Navigate to System Protection tab, select Configure..., and select Disable system protection.

  11. If Windows Firewall was turned off, execute the following commands in a command prompt:

    sc config mpssvc start= demand

    sc config wscsvc start= demand

    net start wscsvc

    net start mpssvc

    netsh firewall set opmode disable

    netsh advfirewall set allprofiles state off

    The warning message about netsh firewall can be ignored

6. Setup FortiSandbox Tracer Engine Launcher

  1. Open an editor, such as Notepad and type in the following scripts:

    @echo off

    :checker

    if not exist d:\launcher.bat (

    echo Wait for d:\launcher.bat

    rem sleep 5

    ping -n 5 127.0.0.1 >nul

    goto checker

    )

    start /min d:\launcher.bat

  2. Save the file as autorun.bat on your Desktop.
  3. Find the autorun.bat file on your Desktop, and Right-click > Cut.
  4. On Windows XP and Windows 7 or Windows Server 2003 or 2008, go to Start > All Programs > Startup > Right-click > Open All Users. Windows Explorer will open. Paste the autorun.bat file.

    On Windows 8 and Windows 10, go to Start > Run..., enter shell:startup to open the startup folder. paste the autorun.bat file.

    The D:\ directory for the autorun.bat file is created after the VM image is uploaded.

7. Install the Customized VM Image to FortiSandbox and Apply It

  1. Put the VM image’s .vdi file and its meta file from Step 4 to a server that supports ftp or scp protocol.
  2. In the FortiSandbox CLI interface:
    1. execute CLI command vm-customized as follows:

      vm-customized -cn –t<ftp|scp> –s<server_ip> –u<username> -p<password> -f</vdi_file_path/vdi_file_name> -vo<Windows_type> –vn<custom_vm_name> -d<Machine uuid> -k<MD5_of_vdi_file_in_lowercase>

      Tip: Machine uuid can be found in <Machine> section of .vbox file of the image build directory, such as C:\Users\user_name\VirtualBox VMs\vm_name\

    2. If a customized VM image of the same name exists on the unit, the installation will fail. Go to the VM Image page and set its clone number to 0. Click Apply to disable existing images. Use –r to replace the existing one with new one. The Scan Profile settings for the image will be inherited.
    3. The installation process can take up to one hour, depending on unit model and network speed. If installation fails or stops unexpectedly, execute the command again.
    4. It is optional to upload the meta file. The information in the meta file will be displayed in the Installed Applications area in Scan Profile page of the FortiSandbox. To install it, execute CLI command vm-customized as follows:

      vm-customized -cf -mproduct.list –t<ftp|scp> –s<server_ip> –u<username> -p<password> -f</meta_file_path/meta_file_name> –vn<custom_vm_name> -mproduct.list

      The custom_vm_name should be the same as step a.

    5. The unit will reboot after installation.
  3. After unit reboots, user can enable it by setting up its clone number to be more than 0 in the VM Image page and associate file types in the Scan Profile page to scan files.

    For example, the above is a Windows 7 customized image. It has an image file editor called FastStone Image Viewer and it is associated to open JPG files. The user can create a User defined extension for JPG files and associate it to this customized image. Subsequently, all JPG files will be scanned by this customized image and opened by the FastStone Image Viewer.