Licensed endpoints running FortiClient 6.2.0 can now use the FortiSandbox Cloud service for deep inspection of zero-day threats.
Earlier versions of FortiClient supported sending files to FortiSandbox appliances. FortiClient 6.2.0 introduces support for FortiSandbox Cloud. The EMS administrator can now configure FortiClient to use an on-premise FortiSandbox appliance or point to FortiSandbox Cloud. To use this new feature, the following requirements must be met:
- FortiClient must be registered to EMS.
- The Sandbox Cloud license, newly introduced in FortiClient 6.2.0, must be configured on EMS. The Fabric Agent license does not support this feature.
- The EMS administrator has configured the endpoint's assigned profile to use FortiSandbox Cloud as shown below.
Once FortiClient has received the profile from EMS, FortiClient displays the Sandbox Detection tab. FortiSandbox Cloud support functions similarly to the existing FortiSandbox appliance support in earlier versions of FortiClient, except FortiClient sends files to FortiSandbox Cloud instead of an on-premise FortiSandbox appliance.
As the end user goes about their daily activities, FortiClient monitors new files introduced to the system. When FortiClient detects that a new file matches the monitored file type configured in EMS, the following occurs:
- If enabled, FortiClient AV Real Time Protection (RTP) scans the file. Scanning uses signatures from FortiGuard and FortiSandbox Cloud.
- One of the following occurs:
- AV RTP detects that the file is malicious. FortiClient quarantines or denies access to the file, depending on the configuration from EMS.
- AV RTP detects that the file is clean. The FortiClient Sandbox feature sends a checksum query to FortiSandbox Cloud. If FortiSandbox Cloud processed the file recently, it quickly returns a verdict. If the file is new to FortiSandbox Cloud, the FortiClient Sandbox feature uploads the file to FortiSandbox Cloud. The FortiClient Sandbox feature queries the file from FortiSandbox Cloud until it receives a verdict or reaches a timeout. Based on the received verdict, FortiClient quarantines or releases the file.
The FortiClient Sandbox Detection tab updates as FortiClient processes the file with FortiSandbox:
- If FortiSandbox Cloud returns a verdict that the file is clean, the Sandbox Detection tab shows the updated results, and FortiClient does not send logs or results to EMS.
- If FortiSandbox Cloud returns a verdict that the file is not clean, the Sandbox Detection tab shows the updated results, and FortiClient sends the results to EMS. You can view the results in EMS in Quarantine Management (if FortiClient quarantined the file) or the Sandbox tab for the endpoint's endpoint details page.
Each endpoint can send a maximum of 300 files daily. If multiple files are submitted around the same time, FortiClient sends one file to FortiSandbox Cloud, waits until it receives the verdict for that file, then sends the next file to FortiSandbox Cloud.
The following shows the FortiClient GUI when used with FortiSandbox Cloud.