Fortinet white logo
Fortinet white logo

Sandboxing

Sandboxing

Sandboxing general attributes are listed below.

<forticlient_configuration>

<sandboxing>

<enabled>1</enabled>

<type>appliance</type>

<address>n.n.n.n</address>

<response_timeout>30</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>1</use_custom_extensions>

<custom_extensions>.exe,.dll,.com</customextensions>

</submit_by_extensions>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>0</exclude_files_and_folders>

<folders>

<folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

</folders>

<files>

<file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

</files>

</exceptions

<remediation>

<action>quarantine</action>

<on_error>block</on_error>

</remediation>

<detect_level>4</detect_level>

</sandboxing>

</forticlient_configuration>

The following table provides the XML tags for Sandbox, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable or disable Sandbox Detection.

Boolean value: [0 | 1]

<type>

Specify the type of FortiSandbox unit.

<address>

Specify the IP address or FQDN of the FortiSandbox unit.

<response_timeout>

Specify the response timeout value in seconds. File access is allowed if FortiSandbox results are not received when the timeout expires. Set to -1 to infinitely restrict access to the file.

<when> elements

<executables_on_removable_media>

Enable or disable Sandbox Detection for executable files on removable media.
Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Enable or disable Sandbox Detection for executable files on mapped drives.
Boolean value: [0 | 1].

<web_downloads>

Enable or disable Sandbox Detection for files downloaded from the Internet.
Boolean value: [0 | 1].

<email_downloads>

Enable or disable Sandbox Detection for files downloaded from email.
Boolean value: [0 | 1].

<submit_by_extension> elements

<enabled>

Enable or disable submitting specified file extensions to FortiSandbox for analysis. When disabled, no file extensions are submitted to FortiSandbox, but FortiClient can still retrieve signatures from FortiSandbox.

Boolean value: [0 | 1].

1

<use_custom_extensions>

Enable or disable using a custom list of file extensions.

If enabled, configure the custom list of file extensions using the <custom_extensions> element below.

If disabled, the default list of file extensions is used: exe, dll, msi, cpl, ocx, ps1, swf, swz, jsfl, flv, swc, fla, xfl, jsfl, 7z, xz, bz2, gz, tar, zip, rar, arj, z, pdf, doc, docx, docm, dotx, dotm, dot, rtf, mht, mhtml, odt, xlsx, xl, xlsm, xlsb, xltx, xltm, xls, xlt, xlam, xlw, pptx, pptm, ppt, xps, potx, potm, pot, thmx, pps, ppsx, ppsm, ppt, ppam, odp

Boolean value: [0 | 1].

0

<custom_extensions>

If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas. The example submits .exe, .dll, and .com files to FortiSandbox for analysis.

<exceptions> elements

<exclude_files_from_trusted_sources>

Enable or disable an exclusion list of trusted sources. When enabled, the list of trusted sources is excluded from Sandbox Detection.

Boolean value: [0 | 1].

<exclude files_and_folders>

Enable or disable an exclusion list of files and folders. When enabled, the list of files and folders are excluded from Sandbox Detection.

Boolean value: [0 | 1].

<files>

Specify a list of files to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<folders>

Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<remediation> elements

<action>

Specify how to handle infected files. Infected files can be quarantined. Alternately you can allow alert endpoint users about infected files, but allow access to infected files. Options:

  • quarantine
  • alert

<on_error>

Specify how to handle files when FortiSandbox cannot be reached. You can block or allow access to files. Options:

  • block
  • allow

<detect_level>

When value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0, FortiClient releases the file.

When value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

When value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

When value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

Possible values: [4 | 3 | 2 |1]

4

Sandboxing

Sandboxing

Sandboxing general attributes are listed below.

<forticlient_configuration>

<sandboxing>

<enabled>1</enabled>

<type>appliance</type>

<address>n.n.n.n</address>

<response_timeout>30</response_timeout>

<when>

<executables_on_removable_media>1</executables_on_removable_media>

<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

<web_downloads>1</web_downloads>

<email_downloads>1</email_downloads>

</when>

<submit_by_extensions>

<enabled>1</enabled>

<use_custom_extensions>1</use_custom_extensions>

<custom_extensions>.exe,.dll,.com</customextensions>

</submit_by_extensions>

<exceptions>

<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

<exclude_files_and_folders>0</exclude_files_and_folders>

<folders>

<folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

</folders>

<files>

<file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

</files>

</exceptions

<remediation>

<action>quarantine</action>

<on_error>block</on_error>

</remediation>

<detect_level>4</detect_level>

</sandboxing>

</forticlient_configuration>

The following table provides the XML tags for Sandbox, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable or disable Sandbox Detection.

Boolean value: [0 | 1]

<type>

Specify the type of FortiSandbox unit.

<address>

Specify the IP address or FQDN of the FortiSandbox unit.

<response_timeout>

Specify the response timeout value in seconds. File access is allowed if FortiSandbox results are not received when the timeout expires. Set to -1 to infinitely restrict access to the file.

<when> elements

<executables_on_removable_media>

Enable or disable Sandbox Detection for executable files on removable media.
Boolean value: [0 | 1]

<executables_on_mapped_nw_drives>

Enable or disable Sandbox Detection for executable files on mapped drives.
Boolean value: [0 | 1].

<web_downloads>

Enable or disable Sandbox Detection for files downloaded from the Internet.
Boolean value: [0 | 1].

<email_downloads>

Enable or disable Sandbox Detection for files downloaded from email.
Boolean value: [0 | 1].

<submit_by_extension> elements

<enabled>

Enable or disable submitting specified file extensions to FortiSandbox for analysis. When disabled, no file extensions are submitted to FortiSandbox, but FortiClient can still retrieve signatures from FortiSandbox.

Boolean value: [0 | 1].

1

<use_custom_extensions>

Enable or disable using a custom list of file extensions.

If enabled, configure the custom list of file extensions using the <custom_extensions> element below.

If disabled, the default list of file extensions is used: exe, dll, msi, cpl, ocx, ps1, swf, swz, jsfl, flv, swc, fla, xfl, jsfl, 7z, xz, bz2, gz, tar, zip, rar, arj, z, pdf, doc, docx, docm, dotx, dotm, dot, rtf, mht, mhtml, odt, xlsx, xl, xlsm, xlsb, xltx, xltm, xls, xlt, xlam, xlw, pptx, pptm, ppt, xps, potx, potm, pot, thmx, pps, ppsx, ppsm, ppt, ppam, odp

Boolean value: [0 | 1].

0

<custom_extensions>

If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas. The example submits .exe, .dll, and .com files to FortiSandbox for analysis.

<exceptions> elements

<exclude_files_from_trusted_sources>

Enable or disable an exclusion list of trusted sources. When enabled, the list of trusted sources is excluded from Sandbox Detection.

Boolean value: [0 | 1].

<exclude files_and_folders>

Enable or disable an exclusion list of files and folders. When enabled, the list of files and folders are excluded from Sandbox Detection.

Boolean value: [0 | 1].

<files>

Specify a list of files to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

<folders>

Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

<remediation> elements

<action>

Specify how to handle infected files. Infected files can be quarantined. Alternately you can allow alert endpoint users about infected files, but allow access to infected files. Options:

  • quarantine
  • alert

<on_error>

Specify how to handle files when FortiSandbox cannot be reached. You can block or allow access to files. Options:

  • block
  • allow

<detect_level>

When value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0, FortiClient releases the file.

When value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

When value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

When value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert & notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

Possible values: [4 | 3 | 2 |1]

4