Sandbox Detection
Enable Sandbox Detection. Some options only display if you enable Advanced view.
Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiSandbox Cloud options are unavailable. See Windows, macOS, and Linux endpoint licenses for details on which features each license type includes.
This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox. |
Configure the following options:
Options |
Description |
---|---|
Sandbox Detection |
Enable Sandbox Detection. Enable or disable the eye icon to show or hide this feature from the end user in FortiClient. |
Server |
|
FortiSandbox |
Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiSandbox Cloud. FortiSandbox Cloud offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiSandbox Cloud does not offer the full range of features that a FortiSandbox appliance offers. See FortiSandbox Cloud documentation. |
Enter the FortiSandbox's IP address or hostname. Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available for a FortiSandbox appliance. |
|
Username |
Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details. |
Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details. |
|
Region |
FortiSandbox Cloud region. See Configuring FortiGuard Services settings. |
Time Zone |
FortiSandbox Cloud time zone. See Configuring FortiGuard Services settings. |
License Status |
Displays the Sandbox Cloud license status. Using FortiSandbox Cloud requires an additional license. See FortiClient EMS. |
Inspection Mode |
Select one of the following:
|
Excluded File Extensions |
Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions. |
Wait for FortiSandbox Results before Allowing File Access |
Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds. |
Deny Access to File When There Is No Sandbox Result |
Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline. |
File Submission Options |
|
All Files Executed from Removable Media |
Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis. |
All Files Executed from Mapped Network Drives |
Submit all files executed from mapped network drives. |
All Web Downloads |
Submit all web downloads. |
All Email Downloads |
Submit all email downloads. |
Remediation Actions |
|
Action |
Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting. |
FortiSandbox Detection Verdict Level |
Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean). |
Exceptions |
|
Exclude Files from Trusted Sources |
Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources that FortiSandbox trusts:
|
Exclude Specified Folders/Files |
Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list. |
Inclusions |
|
Include Specified Folders/Files |
Include specified folders/files in FortiSandbox submission. You must also create the inclusion list. |
Other |
|
Hide Sandbox Scan from Windows Explorer's Context Menu |
Hide Sandbox scan option from Windows Explorer's right-click context menu. |
In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard. |