Sandboxing
Sandboxing general attributes are listed below.
<forticlient_configuration>
<sandboxing>
<enabled>1</enabled>
<type>appliance</type>
<address>n.n.n.n</address>
<response_timeout>30</response_timeout>
<when>
<executables_on_removable_media>1</executables_on_removable_media>
<executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>
<web_downloads>1</web_downloads>
<email_downloads>1</email_downloads>
</when>
<submit_by_extensions>
<enabled>1</enabled>
<use_custom_extensions>1</use_custom_extensions>
<custom_extensions>.exe,.dll,.com</customextensions>
</submit_by_extensions>
<exceptions>
<exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>
<exclude_files_and_folders>0</exclude_files_and_folders>
<folders>
<folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>
</folders>
<files>
<file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>
</files>
</exceptions
<remediation>
<action>quarantine</action>
<on_error>block</on_error>
</remediation>
<detect_level>4</detect_level>
</sandboxing>
</forticlient_configuration>
The following table provides the XML tags for Sandbox, as well as the descriptions and default values where applicable.
XML tag |
Description |
Default value |
---|---|---|
<enabled> |
Enable Sandbox Detection. Boolean value: |
|
<type> |
Specify the type of FortiSandbox unit. |
|
<address> |
|
|
<response_timeout> |
Specify the response timeout value in seconds. File access is allowed if FortiSandbox results are not received when the timeout expires. Set to |
|
|
||
<executables_on_removable_media> |
Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis. Boolean value: [0 | 1]
|
|
<executables_on_mapped_nw_drives> |
Submit all files executed from mapped network drives.
Boolean value: |
|
<web_downloads> |
Submit all web downloads. |
|
<email_downloads> |
Submit all email downloads. |
|
|
||
<enabled> |
Submit specified file extensions to FortiSandbox for analysis. When disabled, FortiClient does not submit any file extensions to FortiSandbox, but can still retrieve signatures from FortiSandbox. Boolean value: |
1 |
<use_custom_extensions> |
Enable using a custom list of file extensions. If enabled, configure the custom list of file extensions using the If disabled, the default list of file extensions is used: exe, dll, msi, cpl, ocx, ps1, swf, swz, jsfl, flv, swc, fla, xfl, jsfl, 7z, xz, bz2, gz, tar, zip, rar, arj, z, pdf, doc, docx, docm, dotx, dotm, dot, rtf, mht, mhtml, odt, xlsx, xl, xlsm, xlsb, xltx, xltm, xls, xlt, xlam, xlw, pptx, pptm, ppt, xps, potx, potm, pot, thmx, pps, ppsx, ppsm, ppt, ppam, odp Boolean value: |
0 |
<custom_extensions> |
If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas. The example submits .exe, .dll, and .com files to FortiSandbox for analysis. |
|
|
||
<exclude_files_from_trusted_sources> |
Exclude files signed by trusted sources from FortiSandbox submission. Boolean value: |
|
<exclude files_and_folders> |
Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list. Boolean value: |
|
<files> |
Specify a list of files to exclude. Separate multiple files with a comma. Example: |
|
<folders> |
Specify a list of folders to exclude. Separate multiple folders with a comma. Example: |
|
|
||
<action> |
Specify how to handle infected files. FortiClient can quarantine infected files. Enter one of the following:
|
|
<on_error> |
Specify how to handle files when FortiClient cannot reach FortiSandbox. You can block or allow access to files. Enter one of the following:
|
|
<detect_level> |
When the value is When the value is When the value is When the value is Possible values: |
4 |