Fortinet black logo

Sandboxing

Sandboxing

Sandboxing general attributes are listed below.

<forticlient_configuration>

<sandboxing>

<enabled>1</enabled>

<type>appliance</type>

<address>n.n.n.n</address>

<response_timeout>30</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>0</use_custom_extensions>

<custom_extensions>.exe,.php,.tiff,.7z,.gif,.png,.tnef,.asf,.htm,.ppsx,.unk,.cdf,.ico,.ppt,.vcf,.com,.jpeg,.pptx,.xls,.com1,.jpg,.qt,.xlsx,.dll,.mov,.rar,.zip,.doc,.mp3,.rm,.docx,.mp4,.rtf,.pdf,.swf,.jar,.dotx,.docm,.dotm,.xltx,.xlsm,.xltm,.xlsb,.xlam,.potx,.sldx,.pptm,.ppsm,.potm,.ppam,.sldm,.onetoc,.thmx,.bat,.cmd,.vbs,.ps1,.js,.tar,.gz,.xz,.bz2,.arj,.cab,.tgz,.txt,.z,.msi,.msg,.asp,.jsp,.kgb,.url,.dot,.xlt,.pps,.pot,.upx,.apk,.WEBLink,.lnk,.jarlib,.lzh,.htmnojs,.ace,.wsf,.eml,.pub,.mht,.mac,.dmg,.mime</customextensions>

</submit_by_extensions>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>0</exclude_files_and_folders>

<folders>

<folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

</folders>

<files>

<file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

</files>

</exceptions

<remediation>

<action>quarantine</action>

<on_error>block</on_error>

</remediation>

<detect_level>4</detect_level>

</sandboxing>

</forticlient_configuration>

The following table provides endpoint control XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<enabled>

Enable or disable Sandbox Detection.

Boolean value: [0 | 1]

<type>

Specify the type of FortiSandbox unit.

<address>

Specify the IP address or FQDN of the FortiSandbox unit.

<response_timeout>

Specify the response timeout value in seconds. File access will be allowed if FortiSandbox results are not received when the timeout expires. Set to -1 to infinitely restrict access to the file.

<when> elements

<executables_on_removable_media>

Enable or disable Sandbox Detection for executable files on removable media.
Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Enable or disable Sandbox Detection for executable files on mapped drives.
Boolean value: [0 | 1].

<web_downloads>

Enable or disable Sandbox Detection for files downloaded from the Internet.
Boolean value: [0 | 1].

<email_downloads>

Enable or disable Sandbox Detection for files downloaded from email.
Boolean value: [0 | 1].

<submit_by_extension> elements

<enabled>

Boolean value: [0 | 1].

1

<use_custom_extensions>

Boolean value: [0 | 1].

0

<custom_extensions>

<exceptions> elements

<exclude_files_from_trusted_sources>

Enable or disable an exclusion list of trusted sources. When enabled, the list of trusted sources is excluded from Sandbox Detection.

Boolean value: [0 | 1].

<exclude files_and_folders>

Enable or disable an exclusion list of files and folders. When enabled, the list of files and folders are excluded from Sandbox Detection.

Boolean value: [0 | 1].

<files>

Specify a list of files to exclude. Separate multiple folders with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<folders>

Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<remediation> elements

<action>

Specify how to handle infected files. Infected files can be quarantined. Alternately you can allow alert endpoint users about infected files, but allow access to infected files. Options:

  • quarantine
  • alert

<on_error>

Specify how to handle files when FortiSandbox cannot be reached. You can block or allow access to files. Options:

  • block
  • allow

<detect_level>

When value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0, FortiClient releases the file.

When value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

When value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

When value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

Possible values: [4 | 3 | 2 |1]

4

Sandboxing

Sandboxing general attributes are listed below.

<forticlient_configuration>

<sandboxing>

<enabled>1</enabled>

<type>appliance</type>

<address>n.n.n.n</address>

<response_timeout>30</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>0</use_custom_extensions>

<custom_extensions>.exe,.php,.tiff,.7z,.gif,.png,.tnef,.asf,.htm,.ppsx,.unk,.cdf,.ico,.ppt,.vcf,.com,.jpeg,.pptx,.xls,.com1,.jpg,.qt,.xlsx,.dll,.mov,.rar,.zip,.doc,.mp3,.rm,.docx,.mp4,.rtf,.pdf,.swf,.jar,.dotx,.docm,.dotm,.xltx,.xlsm,.xltm,.xlsb,.xlam,.potx,.sldx,.pptm,.ppsm,.potm,.ppam,.sldm,.onetoc,.thmx,.bat,.cmd,.vbs,.ps1,.js,.tar,.gz,.xz,.bz2,.arj,.cab,.tgz,.txt,.z,.msi,.msg,.asp,.jsp,.kgb,.url,.dot,.xlt,.pps,.pot,.upx,.apk,.WEBLink,.lnk,.jarlib,.lzh,.htmnojs,.ace,.wsf,.eml,.pub,.mht,.mac,.dmg,.mime</customextensions>

</submit_by_extensions>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>0</exclude_files_and_folders>

<folders>

<folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

</folders>

<files>

<file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

</files>

</exceptions

<remediation>

<action>quarantine</action>

<on_error>block</on_error>

</remediation>

<detect_level>4</detect_level>

</sandboxing>

</forticlient_configuration>

The following table provides endpoint control XML tags, the description, and the default value (where applicable).

XML Tag

Description

Default Value

<enabled>

Enable or disable Sandbox Detection.

Boolean value: [0 | 1]

<type>

Specify the type of FortiSandbox unit.

<address>

Specify the IP address or FQDN of the FortiSandbox unit.

<response_timeout>

Specify the response timeout value in seconds. File access will be allowed if FortiSandbox results are not received when the timeout expires. Set to -1 to infinitely restrict access to the file.

<when> elements

<executables_on_removable_media>

Enable or disable Sandbox Detection for executable files on removable media.
Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Enable or disable Sandbox Detection for executable files on mapped drives.
Boolean value: [0 | 1].

<web_downloads>

Enable or disable Sandbox Detection for files downloaded from the Internet.
Boolean value: [0 | 1].

<email_downloads>

Enable or disable Sandbox Detection for files downloaded from email.
Boolean value: [0 | 1].

<submit_by_extension> elements

<enabled>

Boolean value: [0 | 1].

1

<use_custom_extensions>

Boolean value: [0 | 1].

0

<custom_extensions>

<exceptions> elements

<exclude_files_from_trusted_sources>

Enable or disable an exclusion list of trusted sources. When enabled, the list of trusted sources is excluded from Sandbox Detection.

Boolean value: [0 | 1].

<exclude files_and_folders>

Enable or disable an exclusion list of files and folders. When enabled, the list of files and folders are excluded from Sandbox Detection.

Boolean value: [0 | 1].

<files>

Specify a list of files to exclude. Separate multiple folders with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<folders>

Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<remediation> elements

<action>

Specify how to handle infected files. Infected files can be quarantined. Alternately you can allow alert endpoint users about infected files, but allow access to infected files. Options:

  • quarantine
  • alert

<on_error>

Specify how to handle files when FortiSandbox cannot be reached. You can block or allow access to files. Options:

  • block
  • allow

<detect_level>

When value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0, FortiClient releases the file.

When value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

When value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

When value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

Possible values: [4 | 3 | 2 |1]

4