Fortinet black logo

Administration Guide

Home FortiSandbox 3.1.2 Administration Guide
3.1.2
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6

White/Black Lists

White/Black Lists

White and black lists help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URL/URL REGEXs. Domain/URL/URL REGEX lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the white list, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If a white list entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a black list entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_URL, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the black list will take priority and the file will be rated Malicious.

To manage the White/Black list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the menu icon beside White Lists or Black Lists to see its menu items.
  3. Click the + button to add a new entry.
    caution icon

    The URL pattern has a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain white list and http://www.microsoft.com/*abc/bad.html in a URL black list, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.
  4. Click OK.
To manage the White/Black list through files:
  1. Go to Scan Policy > White/Black List.
  2. Beside White Lists or Black Lists, click the menu icon and select the Manage lists by uploading files icon.
  3. Select the list type from the dropdown menu:
    • MD5
    • SHA1
    • SHA256
    • Domain
    • URL
    • URL REGEX
  4. Select the Action from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, create White/Black lists on the master node. Lists are synchronized with other nodes.

The total number of URL REGEXs in White/Black list must be less than 1000.

The total number of domains plus URLs in White/Black list must be less than 50000.

The total number of MD5+SHA1+SHA256 in White/Black list must be less than 50000.
Previous
Next

White/Black Lists

White and black lists help improve scan performance and malware catch rate as well as reduce false positives and can be appended to, replaced, cleared, deleted, and downloaded. These lists contain file checksum values (MD5, SHA1, or SHA256) and domain/URL/URL REGEXs. Domain/URL/URL REGEX lists are used in both file and URL scanning. For files, the file's downloading URL is checked against the list. Wild Card formats, like *.domain, are supported. For example, when the user adds windowsupdate.microsoft.com to the White Domain List, all files downloaded from this domain will be rated as Clean files immediately. If the user adds *.microsoft.com to the White Domain List, all files downloaded from sub-domains of microsoft.com will be rated as Clean immediately.

For URLs, you can add a raw URL or a regular expression pattern to the list. For example, if the user adds .*amazon.com/.*subscribe to the white list, all subscription URLs from amazon.com will be immediately rated as Clean. This way, subscription links will not be opened inside the VM and become invalid.

  • If a white list entry is hit, the job rating will be Clean with a local overwrite flag.
  • If a black list entry is hit, the job rating will be Malicious with a local overwrite flag. Malware names will be FSA/BL_DOMAIN, FSA/BL_URL, FSA/BL_MD5, FSA/BL_SHA1, or FSA/BL_SHA256.
  • If the same entry exists on both lists and is hit, the black list will take priority and the file will be rated Malicious.

To manage the White/Black list manually:
  1. Go to Scan Policy > White/Black List.
  2. Click the menu icon beside White Lists or Black Lists to see its menu items.
  3. Click the + button to add a new entry.
    caution icon

    The URL pattern has a higher rating priority than a domain pattern. For example, if you enter *.microsoft.com in a domain white list and http://www.microsoft.com/*abc/bad.html in a URL black list, a file from http://www.microsoft.com/1abc/bad.html will be rated as Malicious.
  4. Click OK.
To manage the White/Black list through files:
  1. Go to Scan Policy > White/Black List.
  2. Beside White Lists or Black Lists, click the menu icon and select the Manage lists by uploading files icon.
  3. Select the list type from the dropdown menu:
    • MD5
    • SHA1
    • SHA256
    • Domain
    • URL
    • URL REGEX
  4. Select the Action from the dropdown menu:
    • Append: Add checksums to the list.
    • Replace: Replace the list.
    • Clear: Remove the list.
    • Download: Download the list to the management computer.
    • Delete: Delete an entry from the list if the entry is in the uploaded file.
  5. If the action is Download, click OK to download the list file to the management computer.
  6. If the action is Append or Replace, click Choose File, locate the checksum file on the management computer, then click OK.
  7. If the action is Clear, click OK to remove the list.

In a cluster setting, create White/Black lists on the master node. Lists are synchronized with other nodes.

The total number of URL REGEXs in White/Black list must be less than 1000.

The total number of domains plus URLs in White/Black list must be less than 50000.

The total number of MD5+SHA1+SHA256 in White/Black list must be less than 50000.
Previous
Next