Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Scan Profile Advanced Tab

Use the Advanced tab to define advanced features for file/URL detection.

Enable Adaptive VM Scan

Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs.

Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones.

A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones.

An enabled local VM has at least one clone. The number of assignable clones cannot be less than 0 at any time.

Note

FortiSandbox-AWS, FortiSandbox-Azure, and FortiSandbox-HyperV do not support Adaptive Scan.

Enable Parallel VM Scan

Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job. Normally, a job is scanned in the VM in sequence if the file type is associated with a different VM.

The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

Enhance VM Scan Ratio

Enable this option to allow a customized ratio for jobs that are scanned in the VM. The ratio is a low bound for the jobs that need to be scanned, meaning the percentage of jobs scanned in the VM can be equal to or higher than the preset ratio.

This option:

  • Is an extra filter that sends a job to the VM. When disabled, the VM scan is skipped.
  • Does not affect jobs that should normally be scanned in the VM. Those jobs are still VM scanned.
To configure this option:

Enable Set customized sandboxing ratio and set a ratio between 1 and 100.

In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in approximately the last hour. This lets you see how many files were scanned in the VM in the last hour.

VM scan ratio calculation

The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.

Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So the current job will be sent to the VM.

Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So this job won’t be sent to the VM.

Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.

Cache Dynamic Scan Results

Enable this option to allow VM scan cache.

VM Scan timeout for non-executable file

FortiSandbox supports a customized timeout value to control the tracer running time in the VM.

Currently, MAC OSX and Windows Cloud VM do not support file detection timeout.

To configure file detection timeout:
  1. Go to Scan Policy and Object > Scan Profile > Advanced.
  2. Enable VM Scan timeout for non-executable file and enter a timeout value.

    A shorter Default Timeout value provides better performance and faster scan speed, but lower accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range for normal model. Higher-end models (2000E/3000E/3000F/2000G), allows 30-180 second range.

  3. Click Apply.

    The Scan results shows the VM Scan time.

VM Scan timeout for URL

When URL detection is enabled, FortiSandbox scans URLs (WEBLinks). You can also specify the timeout setting (from 30 to 1200 seconds).

When this option is disabled, the default timeout is 60 seconds.

URL depth limit

Enable this option to examine the recursive depth of URLs (from 1 to 5).

When this option is disabled, only the URL itself is examined.

URL content limit

Enable this option to specify the maximum number of URLs from 1 to 10000.

When this option is disabled, the maximum number of URLs is unlimited.

Enable Rating Cloud Service

Enable this option to enhance the rating of the submission to provide a better detection rate by utilizing the Rating Engine and supervised Machine Learning in the cloud. When enabled, the local verdict and rating log are sent to the cloud. The original submitted file is not included.

Enable Code Emulator

Enable this option to forward the Windows executable submitted file for emulation to find traces of malicious code.

Enable Pipeline Mode

Enable this option to improve performance and accelerate the scan by reducing the time spent on VM instance starts and shutdowns. This means that jobs can be scanned in a VM instance one at a time without shutting down the instance.

A guest VM instance can only be reused when the scanning job won’t change the VM instance status. If the guest VM status has been changed, the VM instance will be shut down and restored for the next job.

If a job is rated malicious or suspicious in a pipeline mode VM instance, the job is rescanned in a fresh restored VM to secure a final rating.

Note

FortiSandbox-AWS and FortiSandbox-Azure do not support Pipeline Mode.

Scan Profile Advanced Tab

Use the Advanced tab to define advanced features for file/URL detection.

Enable Adaptive VM Scan

Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs.

Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones.

A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones.

An enabled local VM has at least one clone. The number of assignable clones cannot be less than 0 at any time.

Note

FortiSandbox-AWS, FortiSandbox-Azure, and FortiSandbox-HyperV do not support Adaptive Scan.

Enable Parallel VM Scan

Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job. Normally, a job is scanned in the VM in sequence if the file type is associated with a different VM.

The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

Enhance VM Scan Ratio

Enable this option to allow a customized ratio for jobs that are scanned in the VM. The ratio is a low bound for the jobs that need to be scanned, meaning the percentage of jobs scanned in the VM can be equal to or higher than the preset ratio.

This option:

  • Is an extra filter that sends a job to the VM. When disabled, the VM scan is skipped.
  • Does not affect jobs that should normally be scanned in the VM. Those jobs are still VM scanned.
To configure this option:

Enable Set customized sandboxing ratio and set a ratio between 1 and 100.

In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in approximately the last hour. This lets you see how many files were scanned in the VM in the last hour.

VM scan ratio calculation

The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.

Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So the current job will be sent to the VM.

Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So this job won’t be sent to the VM.

Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.

Cache Dynamic Scan Results

Enable this option to allow VM scan cache.

VM Scan timeout for non-executable file

FortiSandbox supports a customized timeout value to control the tracer running time in the VM.

Currently, MAC OSX and Windows Cloud VM do not support file detection timeout.

To configure file detection timeout:
  1. Go to Scan Policy and Object > Scan Profile > Advanced.
  2. Enable VM Scan timeout for non-executable file and enter a timeout value.

    A shorter Default Timeout value provides better performance and faster scan speed, but lower accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range for normal model. Higher-end models (2000E/3000E/3000F/2000G), allows 30-180 second range.

  3. Click Apply.

    The Scan results shows the VM Scan time.

VM Scan timeout for URL

When URL detection is enabled, FortiSandbox scans URLs (WEBLinks). You can also specify the timeout setting (from 30 to 1200 seconds).

When this option is disabled, the default timeout is 60 seconds.

URL depth limit

Enable this option to examine the recursive depth of URLs (from 1 to 5).

When this option is disabled, only the URL itself is examined.

URL content limit

Enable this option to specify the maximum number of URLs from 1 to 10000.

When this option is disabled, the maximum number of URLs is unlimited.

Enable Rating Cloud Service

Enable this option to enhance the rating of the submission to provide a better detection rate by utilizing the Rating Engine and supervised Machine Learning in the cloud. When enabled, the local verdict and rating log are sent to the cloud. The original submitted file is not included.

Enable Code Emulator

Enable this option to forward the Windows executable submitted file for emulation to find traces of malicious code.

Enable Pipeline Mode

Enable this option to improve performance and accelerate the scan by reducing the time spent on VM instance starts and shutdowns. This means that jobs can be scanned in a VM instance one at a time without shutting down the instance.

A guest VM instance can only be reused when the scanning job won’t change the VM instance status. If the guest VM status has been changed, the VM instance will be shut down and restored for the next job.

If a job is rated malicious or suspicious in a pipeline mode VM instance, the job is rescanned in a fresh restored VM to secure a final rating.

Note

FortiSandbox-AWS and FortiSandbox-Azure do not support Pipeline Mode.