FortiSandbox utilizes Fortinet antivirus to scan files for known threats and then executes files in a VM host environment. Unlike traditional sandboxing solutions, FortiSandbox is able to perform advanced static scans, which can quickly and accurately filter files, and utilize up-to-the-minute threat intelligence of FortiGuard services.
There are five methods to import files to your FortiSandbox: sniffer mode, device mode (including FortiGate, FortiMail, FortiWeb, and FortiClient endpoints), adapter, network share, and on demand (including on demand through JSON API call and GUI submission). In sniffer mode, the FortiSandbox sniffs traffic on specified interfaces, reassembles files, and analyzes them. In device mode, your FortiGate, FortiWeb, FortiMail, or FortiClient endpoints are configured to send files to your FortiSandbox for analysis, and can receive malware packages from the FortiSandbox. Network share allows you to scan files located on a remote file share as scheduled, and quarantine bad files. On demand allows you to upload files, URLs inside a file, or archived files directly to your FortiSandbox for analysis. Different adapters allow FortiSandbox to work with third-party products smoothly.
FortiSandbox will execute code in a contained virtual environment by simulating human behavior and the output is analyzed to determine the characteristics of the file. Inspection is run post-execution and all aspects of the file are examined. FortiSandbox checks files for the dozens of suspicious characteristics, including but no limited to:
- Evasion techniques
- Known virus downloads
- Registry modifications
- Outbound connections to malicious IP addresses
- Infection of processes
- File system modifications
- Suspicious network traffic
FortiSandbox can process multiple files simultaneously since it has a VM pool to dispatch files to for sandboxing. The time to process a file depends on the hardware and the number of sandbox VMs used to scan the file. It can take from 60 seconds to five minutes to process a file.