Fortinet black logo

Administration Guide

Introduction

Copy Link
Copy Doc ID 2ab0dbd0-4db4-11ea-9384-00505692583a:523699
Download PDF

Introduction

Fighting today’s Advanced Persistent Threats (APTs) requires a multi-layer approach. FortiSandbox offers the ultimate combination of proactive mitigation, advanced threat visibility, and comprehensive reporting. More than just a sandbox, FortiSandbox deploys Fortinet’s award-winning, dynamic antivirus and threat scanning technology, dual level sandboxing, and optional integrated FortiGuard cloud queries to beat Advanced Evasion Techniques (AETs) and deliver state-of-the-art threat protection.

FortiSandbox utilizes advanced detection, dynamic antivirus scanning, and threat scanning technology to detect viruses and APTs. It leverages the FortiGuard web filtering database to inspect and flag malicious URL requests, and is able to identify threats that standalone antivirus solutions may not detect.

FortiSandbox works with your existing devices, like FortiGate, FortiWeb, FortiClient and FortiMail, to identify malicious and suspicious files and network traffic. It has a complete extreme antivirus database that will catch viruses that may have been missed.

FortiSandbox can be configured to sniff traffic from the network, scan files on a network share with a predefined schedule, quarantine malicious files, and receive files from FortiGate, FortiWeb, FortiMail, and FortiClient. For example, FortiMail 5.2.0 and later allows you to forward email attachments to FortiSandbox for advanced inspection and analysis. Files can also be uploaded directly to it for sandboxing through the web GUI or JSON API. You can also submit a website URL to scan to help you identify web pages hosting malicious content before users attempt to open the pages on their host machines.

FortiSandbox executes suspicious files in the VM host module to determine if the file is High, Medium, or Low Risk based on the behavior observed in the VM sandbox module. The rating engine scores each file from its behavior log (tracer log) that is gathered in the VM module and, if the score falls within a certain range, a risk level is determined.

Note

FortiSandbox rating can be performed by either the standard method or by using artificial intelligence (AI) mode. In AI mode, the AI engine uses machine learning technology to analyze the behavior of thousands of known malware. FortiSandbox uses this engine to inspect file behavior inside a VM to detect indicators of new malware.

AI mode can be toggled in the CLI using the command ai-mode.

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service. The service can be integrated with FortiGate, FortiClient, FortiMail, FortiWeb, FortiADC, and FortiProxy. For more information, see https://docs.fortinet.com/product/fortisandbox-cloud/.

The following table lists infection types and attacks that are identified by FortiSandbox.

Infection Type

Description

Infector

Infector malware is used to steal system and user information. The stolen information is then uploaded to command and control servers. Once the infector installs on a computer, it attempts to infect other executable files with malicious code.

Worm

Worm malware replicates itself in order to spread to other computers. This type of malware does not need to attach itself to an existing program. Worms, like viruses, can damage data or software.

Botnet

Botnet malware is used to distribute malicious software. A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform a task. Computers that are infected by botnet malware can be controlled remotely. This type of malware is designed for financial gain or to launch attacks on websites or networks.

Hijack

Hijack malware attempts to hijack the system by modifying important registry keys or system files.

Stealer

Stealer malware is used to harvest login credentials of standalone systems, networks, FTP, email, game servers and other websites. Once the system is infected, the malware can be customized by the attacker.

Backdoor

Backdoor malware installs a network service for remote access to your network. This type of malware can be used to access your network and install additional malware, including stealer and downloader malware.

Injector

Injector malware injects malicious code into system processes to perform tasks on its behalf.

Rootkit

Rootkit malware attempts to hide its components by replacing vital system executables. Rootkits allow malware to bypass antivirus detection as they appear to be necessary system files.

Adware

Adware malware is a software package which attempts to access advertising websites. Adware displays these unwanted advertisements to the user.

Dropper

Dropper malware is designed to install malicious software to the target system. The malware code may be contained within the dropper or downloaded to the target system once activated.

Downloader

Downloader malware attempts to download other malicious programs.

Trojan

Trojan malware is a hacking program which gains privileged access to the operating system to drop a malicious payload, including backdoor malware. Trojans can be used to cause data damage, system damage, data theft or other malicious acts.

Riskware

Riskware malware has security-critical functions which pose a threat to the computer.

Grayware

Grayware malware is a classification for applications that behave in a manner that is annoying or undesirable. Grayware includes spyware, adware, dialers, and remote access tools that are designed to harm the performance of computers on your network.

Unknown

No definitions currently exist for this type of attack.

FortiSandbox scans executable (Windows .exe and .dll script files), JavaScript, Microsoft Office, Adobe Flash, PDF, archives, and other file types the user defines. JavaScript and PDF are the two common software types that malware uses to execute malicious code. For example, JavaScript is often used to create heap sprays and inject malicious code to execute in other software products such as Adobe Reader (PDF).

When a malware is scanned inside a FortiSandbox VM environment, FortiSandbox scans its outgoing traffic for connections to botnet servers and determines the nature of the traffic and connection hosts.

Key features of FortiSandbox include:

  • Dynamic Antimalware updates/Cloud query: Receives updates from FortiGuard Labs and send queries to the FortiSandbox Community Cloud in real time, helping to intelligently and immediately detect existing and emerging threats.
  • Code emulation: Performs lightweight sandbox inspection in real time for best performance, including certain malware that uses sandbox evasion techniques and/or only executes with specific software versions.
  • Full virtual environment: Provides a contained runtime environment to analyze high risk or suspicious code and explore the full threat life cycle.
  • Advanced visibility: Delivers comprehensive views into a wide range of network, system and file activity, categorized by risk, to help speed up incident response.
  • Network Alert: Inspects network traffic for requests to visit malicious sites, establish communications with C&C servers, and other activity indicative of a compromise. It provides a complete picture of the victim host's infection cycle.
  • Manual analysis: Allows security administrators to manually upload malware samples via the FortiSandbox web GUI or JSON API to perform virtual sandboxing without the need for a separate appliance.
  • Optional submission to FortiSandbox Community Cloud: Tracer reports, malicious files and other information may be submitted to FortiSandbox Community Cloud in order to receive remediation recommendations and updated in line protections.
  • Schedule scan of network shares: Perform a schedule scan of network shares in Network File System (NFS) v2 to v4 and Common Internet File System (CIFS) formats to quarantine suspicious files.
  • Scan job archive: You can archive scan jobs to a network share for backup and further analysis.
  • Website URL scan: Scan websites to a certain depth for a predefined time period.
  • Cluster supporting High Availability: Provide a non-interruption, high performance system for malware detection.
Tooltip

Version 3.2.0 starts phasing out support for Windows XP. If you currently use Windows XP, plan to migrate to a later Windows version.

Introduction

Fighting today’s Advanced Persistent Threats (APTs) requires a multi-layer approach. FortiSandbox offers the ultimate combination of proactive mitigation, advanced threat visibility, and comprehensive reporting. More than just a sandbox, FortiSandbox deploys Fortinet’s award-winning, dynamic antivirus and threat scanning technology, dual level sandboxing, and optional integrated FortiGuard cloud queries to beat Advanced Evasion Techniques (AETs) and deliver state-of-the-art threat protection.

FortiSandbox utilizes advanced detection, dynamic antivirus scanning, and threat scanning technology to detect viruses and APTs. It leverages the FortiGuard web filtering database to inspect and flag malicious URL requests, and is able to identify threats that standalone antivirus solutions may not detect.

FortiSandbox works with your existing devices, like FortiGate, FortiWeb, FortiClient and FortiMail, to identify malicious and suspicious files and network traffic. It has a complete extreme antivirus database that will catch viruses that may have been missed.

FortiSandbox can be configured to sniff traffic from the network, scan files on a network share with a predefined schedule, quarantine malicious files, and receive files from FortiGate, FortiWeb, FortiMail, and FortiClient. For example, FortiMail 5.2.0 and later allows you to forward email attachments to FortiSandbox for advanced inspection and analysis. Files can also be uploaded directly to it for sandboxing through the web GUI or JSON API. You can also submit a website URL to scan to help you identify web pages hosting malicious content before users attempt to open the pages on their host machines.

FortiSandbox executes suspicious files in the VM host module to determine if the file is High, Medium, or Low Risk based on the behavior observed in the VM sandbox module. The rating engine scores each file from its behavior log (tracer log) that is gathered in the VM module and, if the score falls within a certain range, a risk level is determined.

Note

FortiSandbox rating can be performed by either the standard method or by using artificial intelligence (AI) mode. In AI mode, the AI engine uses machine learning technology to analyze the behavior of thousands of known malware. FortiSandbox uses this engine to inspect file behavior inside a VM to detect indicators of new malware.

AI mode can be toggled in the CLI using the command ai-mode.

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service. The service can be integrated with FortiGate, FortiClient, FortiMail, FortiWeb, FortiADC, and FortiProxy. For more information, see https://docs.fortinet.com/product/fortisandbox-cloud/.

The following table lists infection types and attacks that are identified by FortiSandbox.

Infection Type

Description

Infector

Infector malware is used to steal system and user information. The stolen information is then uploaded to command and control servers. Once the infector installs on a computer, it attempts to infect other executable files with malicious code.

Worm

Worm malware replicates itself in order to spread to other computers. This type of malware does not need to attach itself to an existing program. Worms, like viruses, can damage data or software.

Botnet

Botnet malware is used to distribute malicious software. A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform a task. Computers that are infected by botnet malware can be controlled remotely. This type of malware is designed for financial gain or to launch attacks on websites or networks.

Hijack

Hijack malware attempts to hijack the system by modifying important registry keys or system files.

Stealer

Stealer malware is used to harvest login credentials of standalone systems, networks, FTP, email, game servers and other websites. Once the system is infected, the malware can be customized by the attacker.

Backdoor

Backdoor malware installs a network service for remote access to your network. This type of malware can be used to access your network and install additional malware, including stealer and downloader malware.

Injector

Injector malware injects malicious code into system processes to perform tasks on its behalf.

Rootkit

Rootkit malware attempts to hide its components by replacing vital system executables. Rootkits allow malware to bypass antivirus detection as they appear to be necessary system files.

Adware

Adware malware is a software package which attempts to access advertising websites. Adware displays these unwanted advertisements to the user.

Dropper

Dropper malware is designed to install malicious software to the target system. The malware code may be contained within the dropper or downloaded to the target system once activated.

Downloader

Downloader malware attempts to download other malicious programs.

Trojan

Trojan malware is a hacking program which gains privileged access to the operating system to drop a malicious payload, including backdoor malware. Trojans can be used to cause data damage, system damage, data theft or other malicious acts.

Riskware

Riskware malware has security-critical functions which pose a threat to the computer.

Grayware

Grayware malware is a classification for applications that behave in a manner that is annoying or undesirable. Grayware includes spyware, adware, dialers, and remote access tools that are designed to harm the performance of computers on your network.

Unknown

No definitions currently exist for this type of attack.

FortiSandbox scans executable (Windows .exe and .dll script files), JavaScript, Microsoft Office, Adobe Flash, PDF, archives, and other file types the user defines. JavaScript and PDF are the two common software types that malware uses to execute malicious code. For example, JavaScript is often used to create heap sprays and inject malicious code to execute in other software products such as Adobe Reader (PDF).

When a malware is scanned inside a FortiSandbox VM environment, FortiSandbox scans its outgoing traffic for connections to botnet servers and determines the nature of the traffic and connection hosts.

Key features of FortiSandbox include:

  • Dynamic Antimalware updates/Cloud query: Receives updates from FortiGuard Labs and send queries to the FortiSandbox Community Cloud in real time, helping to intelligently and immediately detect existing and emerging threats.
  • Code emulation: Performs lightweight sandbox inspection in real time for best performance, including certain malware that uses sandbox evasion techniques and/or only executes with specific software versions.
  • Full virtual environment: Provides a contained runtime environment to analyze high risk or suspicious code and explore the full threat life cycle.
  • Advanced visibility: Delivers comprehensive views into a wide range of network, system and file activity, categorized by risk, to help speed up incident response.
  • Network Alert: Inspects network traffic for requests to visit malicious sites, establish communications with C&C servers, and other activity indicative of a compromise. It provides a complete picture of the victim host's infection cycle.
  • Manual analysis: Allows security administrators to manually upload malware samples via the FortiSandbox web GUI or JSON API to perform virtual sandboxing without the need for a separate appliance.
  • Optional submission to FortiSandbox Community Cloud: Tracer reports, malicious files and other information may be submitted to FortiSandbox Community Cloud in order to receive remediation recommendations and updated in line protections.
  • Schedule scan of network shares: Perform a schedule scan of network shares in Network File System (NFS) v2 to v4 and Common Internet File System (CIFS) formats to quarantine suspicious files.
  • Scan job archive: You can archive scan jobs to a network share for backup and further analysis.
  • Website URL scan: Scan websites to a certain depth for a predefined time period.
  • Cluster supporting High Availability: Provide a non-interruption, high performance system for malware detection.
Tooltip

Version 3.2.0 starts phasing out support for Windows XP. If you currently use Windows XP, plan to migrate to a later Windows version.