Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • XML Reference Guide

    Home FortiClient 6.4.10 XML Reference Guide
    6.4.10
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Sandboxing

    Sandboxing

    The following lists sandboxing general attributes:

    <forticlient_configuration>

    <sandboxing>

    <enabled>1</enabled>

    <type>appliance</type>

    <address>n.n.n.n</address>

    <response_timeout>30</response_timeout>

    <when>

    <executables_on_removable_media>1</executables_on_removable_media>

    <executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

    <web_downloads>1</web_downloads>

    <email_downloads>1</email_downloads>

    </when>

    <submit_by_extensions>

    <enabled>1</enabled>

    <use_custom_extensions>1</use_custom_extensions>

    <custom_extensions>.exe,.dll,.com</customextensions>

    </submit_by_extensions>

    <exceptions>

    <exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

    <exclude_files_and_folders>0</exclude_files_and_folders>

    <folders>

    <folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

    </folders>

    <files>

    <file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

    </files>

    </exceptions>

    <inclusions>

    <include_files_and_folders>1</include_files_and_folders>

    <folders>

    <folder>C:\folder1,C:\path2\to\folder2\</folder>

    </folders>

    <files>

    <file>C:\path\to\file3.txt, C:\path\to\file4.txt</file>

    </files>

    </inclusions>

    <remediation>

    <action>quarantine</action>

    <on_error>block</on_error>

    </remediation>

    <detect_level>4</detect_level>

    <shell_integration>

    <hide_sandbox_scan>0</hide_sandbox_scan>

    </shell_integration>

    <notification_type>0</notification_type>

    </sandboxing>

    </forticlient_configuration>

    The following table provides the XML tags for Sandbox, as well as the descriptions and default values where applicable:

    XML tag

    Description

    Default value

    <enabled>

    Enable Sandbox Detection.

    Boolean value: [0 | 1]

    <type>

    Specify the type of FortiSandbox unit.

    <address>

    Specify the IP address or FQDN of the FortiSandbox unit.

    <response_timeout>

    Specify the response timeout value in seconds. FortiClient allows file access if it has not received FortiSandbox results when the timeout expires. Set to -1 to infinitely restrict access to the file.

    <when> elements

    <executables_on_removable_media>

    Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

    Boolean value: [0 | 1]

    <executables_on_mapped_nw_drives>

    Submit all files executed from mapped network drives.

    Boolean value: [0 | 1]

    <web_downloads>

    Submit all web downloads.

    Boolean value: [0 | 1]

    <email_downloads>

    Submit all email downloads.

    Boolean value: [0 | 1]

    <submit_by_extension> elements

    <enabled>

    Submit specified file extensions to FortiSandbox for analysis. When disabled, FortiClient does not submit any file extensions to FortiSandbox, but can still retrieve signatures from FortiSandbox.

    Boolean value: [0 | 1]

    1

    <use_custom_extensions>

    Enable using a custom list of file extensions.

    If enabled, configure the custom list of file extensions using the <custom_extensions> element below.

    If disabled, the default list of file extensions is used: exe, dll, msi, cpl, ocx, ps1, swf, swz, jsfl, flv, swc, fla, xfl, jsfl, 7z, xz, bz2, gz, tar, zip, rar, arj, z, pdf, doc, docx, docm, dotx, dotm, dot, rtf, mht, mhtml, odt, xlsx, xl, xlsm, xlsb, xltx, xltm, xls, xlt, xlam, xlw, pptx, pptm, ppt, xps, potx, potm, pot, thmx, pps, ppsx, ppsm, ppt, ppam, odp

    Boolean value: [0 | 1]

    0

    <custom_extensions>

    If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas. The example submits .exe, .dll, and .com files to FortiSandbox for analysis.

    <exceptions> elements

    <exclude_files_from_trusted_sources>

    Exclude files signed by trusted sources from FortiSandbox submission.

    Boolean value: [0 | 1]

    <exclude files_and_folders>

    Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

    Boolean value: [0 | 1]

    <files>

    Specify a list of files to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

    <folders>

    Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

    <inclusions> elements

    <include files_and_folders>

    Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

    Boolean value: [0 | 1]

    <files>

    Specify a list of files to include. Separate multiple files with a comma. Example: C:\path\to\file3.txt, C:\path\to\file4.txt

    <folders>

    Specify a list of folders to include. Separate multiple folders with a comma. Example: C:\folder1,C:\path2\to\folder2\.

    <remediation> elements

    <action>

    Specify how to handle infected files. FortiClient can quarantine infected files. Enter one of the following:

    • quarantine: quarantine infected files
    • alert: alert the user about infected files but allow access to infected files

    <on_error>

    Specify how to handle files when FortiClient cannot reach FortiSandbox. You can block or allow access to files. Enter one of the following:

    • block
    • allow

    <detect_level>

    When the value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0, FortiClient releases the file.

    When the value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

    When the value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

    When the value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

    Possible values: [4 | 3 | 2 |1]

    4

    <hide_sandbox_scan>

    Hide Sandbox scan option from Windows Explorer context menu.

    Boolean value: [0 | 1]

    <notification_type>

    Specify the notification configuration for FortiSandbox file submission:

    • 0: Display notification balloon when FortiSandbox detects malware in a submission.
    • 1: Displays a popup for all FortiSandbox file submissions.
    • 2: Does not display any notification for FortiSandbox file submissions, malware detection, or quarantine.

    0
    Previous
    Next

    Sandboxing

    Sandboxing

    The following lists sandboxing general attributes:

    <forticlient_configuration>

    <sandboxing>

    <enabled>1</enabled>

    <type>appliance</type>

    <address>n.n.n.n</address>

    <response_timeout>30</response_timeout>

    <when>

    <executables_on_removable_media>1</executables_on_removable_media>

    <executables_on_mapped_nw_drives>1</executables_on_mapped_nw_drives>

    <web_downloads>1</web_downloads>

    <email_downloads>1</email_downloads>

    </when>

    <submit_by_extensions>

    <enabled>1</enabled>

    <use_custom_extensions>1</use_custom_extensions>

    <custom_extensions>.exe,.dll,.com</customextensions>

    </submit_by_extensions>

    <exceptions>

    <exclude_files_from_trusted_sources>1</exclude_files_from_trusted_sources>

    <exclude_files_and_folders>0</exclude_files_and_folders>

    <folders>

    <folder>C:\path1\to\folder\,C:\path2\to\folder\</folder>

    </folders>

    <files>

    <file>C:\path\to\file1.txt, C:\path\to\file2.txt</file>

    </files>

    </exceptions>

    <inclusions>

    <include_files_and_folders>1</include_files_and_folders>

    <folders>

    <folder>C:\folder1,C:\path2\to\folder2\</folder>

    </folders>

    <files>

    <file>C:\path\to\file3.txt, C:\path\to\file4.txt</file>

    </files>

    </inclusions>

    <remediation>

    <action>quarantine</action>

    <on_error>block</on_error>

    </remediation>

    <detect_level>4</detect_level>

    <shell_integration>

    <hide_sandbox_scan>0</hide_sandbox_scan>

    </shell_integration>

    <notification_type>0</notification_type>

    </sandboxing>

    </forticlient_configuration>

    The following table provides the XML tags for Sandbox, as well as the descriptions and default values where applicable:

    XML tag

    Description

    Default value

    <enabled>

    Enable Sandbox Detection.

    Boolean value: [0 | 1]

    <type>

    Specify the type of FortiSandbox unit.

    <address>

    Specify the IP address or FQDN of the FortiSandbox unit.

    <response_timeout>

    Specify the response timeout value in seconds. FortiClient allows file access if it has not received FortiSandbox results when the timeout expires. Set to -1 to infinitely restrict access to the file.

    <when> elements

    <executables_on_removable_media>

    Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

    Boolean value: [0 | 1]

    <executables_on_mapped_nw_drives>

    Submit all files executed from mapped network drives.

    Boolean value: [0 | 1]

    <web_downloads>

    Submit all web downloads.

    Boolean value: [0 | 1]

    <email_downloads>

    Submit all email downloads.

    Boolean value: [0 | 1]

    <submit_by_extension> elements

    <enabled>

    Submit specified file extensions to FortiSandbox for analysis. When disabled, FortiClient does not submit any file extensions to FortiSandbox, but can still retrieve signatures from FortiSandbox.

    Boolean value: [0 | 1]

    1

    <use_custom_extensions>

    Enable using a custom list of file extensions.

    If enabled, configure the custom list of file extensions using the <custom_extensions> element below.

    If disabled, the default list of file extensions is used: exe, dll, msi, cpl, ocx, ps1, swf, swz, jsfl, flv, swc, fla, xfl, jsfl, 7z, xz, bz2, gz, tar, zip, rar, arj, z, pdf, doc, docx, docm, dotx, dotm, dot, rtf, mht, mhtml, odt, xlsx, xl, xlsm, xlsb, xltx, xltm, xls, xlt, xlam, xlw, pptx, pptm, ppt, xps, potx, potm, pot, thmx, pps, ppsx, ppsm, ppt, ppam, odp

    Boolean value: [0 | 1]

    0

    <custom_extensions>

    If using a custom list of file extensions, enter the list of desired file extensions, separated only by commas. The example submits .exe, .dll, and .com files to FortiSandbox for analysis.

    <exceptions> elements

    <exclude_files_from_trusted_sources>

    Exclude files signed by trusted sources from FortiSandbox submission.

    Boolean value: [0 | 1]

    <exclude files_and_folders>

    Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

    Boolean value: [0 | 1]

    <files>

    Specify a list of files to exclude. Separate multiple files with a comma. Example: C:\path\to\file1.txt, C:\path\to\file2.txt

    <folders>

    Specify a list of folders to exclude. Separate multiple folders with a comma. Example: C:\path1\to\folder\,C:\path2\to\folder\

    <inclusions> elements

    <include files_and_folders>

    Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

    Boolean value: [0 | 1]

    <files>

    Specify a list of files to include. Separate multiple files with a comma. Example: C:\path\to\file3.txt, C:\path\to\file4.txt

    <folders>

    Specify a list of folders to include. Separate multiple folders with a comma. Example: C:\folder1,C:\path2\to\folder2\.

    <remediation> elements

    <action>

    Specify how to handle infected files. FortiClient can quarantine infected files. Enter one of the following:

    • quarantine: quarantine infected files
    • alert: alert the user about infected files but allow access to infected files

    <on_error>

    Specify how to handle files when FortiClient cannot reach FortiSandbox. You can block or allow access to files. Enter one of the following:

    • block
    • allow

    <detect_level>

    When the value is 4: If FortiSandbox returns score 1/2/3/4, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0, FortiClient releases the file.

    When the value is 3: If FortiSandbox returns score 1/2/3, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0/4, FortiClient releases the file.

    When the value is 2: If FortiSandbox returns score 1/2, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0/3/4, FortiClient releases the file.

    When the value is 1: If FortiSandbox returns score 1, FortiClient takes the configured remediation action (quarantine or alert and notify). If FortiSandbox returns score 0/2/3/4, FortiClient releases the file.

    Possible values: [4 | 3 | 2 |1]

    4

    <hide_sandbox_scan>

    Hide Sandbox scan option from Windows Explorer context menu.

    Boolean value: [0 | 1]

    <notification_type>

    Specify the notification configuration for FortiSandbox file submission:

    • 0: Display notification balloon when FortiSandbox detects malware in a submission.
    • 1: Displays a popup for all FortiSandbox file submissions.
    • 2: Does not display any notification for FortiSandbox file submissions, malware detection, or quarantine.

    0
    Previous
    Next