File Scan Flow
After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan will stop.
- Filtering and Static Scan
In this step, the file will be scanned by the Anti Virus engine and the YARA rules engine. Its file type will be compared with the Scan Profile page > Job Queue tab settings to decide if it should be put in the job queue. If yes, it will be compared with the blocklist/allowlist (black/white list) and overridden verdict list.
For certain file types, such as Office and PDF files, they will be scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs will be checked to see if the website is a malicious website.
- Community Cloud Query
The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information will be downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.
- Sandboxing Scan
If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file will be scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the
sandboxing-prefiltering
command.