Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

EMS Administration Guide

Sandbox Detection

Enable Sandbox Detection. Some options only display if you enable Advanced view.

Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiClient Cloud Sandbox options are unavailable. See Windows, macOS, and Linux endpoint licenses for details on which features each license type includes.

Note

This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox.

Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiClient Cloud Sandbox. FortiClient Cloud Sandbox offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiClient Cloud Sandbox does not offer the full range of features that a FortiSandbox appliance offers. See FortiClient Cloud Sandbox documentation.

IP address/Hostname

For a FortiSandbox appliance, enter the FortiSandbox's IP address, FQDN, or hostname.

Although the IP address/Hostname field is onlly available when Appliance is selected, you can also configure this option for FortiClient Cloud Sandbox. Enter the FortiClient Cloud Sandbox FQDN and account ID in the Account ID field.

Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available when Appliance is selected.

Account ID

Optional. Enter the FortiClient Cloud Sandbox account ID. You should only use this option when configuring a FortiClient Cloud Sandbox using the FQDN.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiClient Cloud Sandbox region. See Configuring FortiGuard Services settings.

Time Offset

FortiClient Cloud Sandbox time offset. See Configuring FortiGuard Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiClient Cloud Sandbox requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat, vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt, docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf, arj
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting.

FortiSandbox Detection Verdict Level

Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean).

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources trusted by FortiSandbox:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Other

 

Hide Sandbox Scan from Windows Explorer's Context Menu

Hide Sandbox scan option from Windows Explorer's right-click context menu.

Notification Type

Select the desired notification type to display to end users when FortiClient Cloud Sandbox detects an infected file.

Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.

Sandbox Detection

Enable Sandbox Detection. Some options only display if you enable Advanced view.

Some options on this tab are only available for configuration if your FortiClient EMS license includes the Sandbox Cloud feature. For example, if you have only applied the ZTNA license, the FortiClient Cloud Sandbox options are unavailable. See Windows, macOS, and Linux endpoint licenses for details on which features each license type includes.

Note

This feature does not rely on FortiClient real-time protection and can be used alongside other real-time antimalware applications such as Windows Defender. Files that these applications have quarantined cannot be sent to FortiSandbox.

Configure the following options:

Options

Description

Sandbox Detection

Enable Sandbox Detection.

Enable or disable the eye icon to show or hide this feature from the end user in FortiClient.

Server

FortiSandbox

Select Appliance to configure connection to an on-premise FortiSandbox appliance or Cloud to configure connection to FortiClient Cloud Sandbox. FortiClient Cloud Sandbox offers a more affordable alternative to a FortiSandbox appliance, since it is a cloud service that you do not need to host on-site. However, FortiClient Cloud Sandbox does not offer the full range of features that a FortiSandbox appliance offers. See FortiClient Cloud Sandbox documentation.

IP address/Hostname

For a FortiSandbox appliance, enter the FortiSandbox's IP address, FQDN, or hostname.

Although the IP address/Hostname field is onlly available when Appliance is selected, you can also configure this option for FortiClient Cloud Sandbox. Enter the FortiClient Cloud Sandbox FQDN and account ID in the Account ID field.

Click Test Connection to ensure that EMS can communicate with FortiSandbox. This option is only available when Appliance is selected.

Account ID

Optional. Enter the FortiClient Cloud Sandbox account ID. You should only use this option when configuring a FortiClient Cloud Sandbox using the FQDN.

Username

Optional. Enter the FortiSandbox username. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the username is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Password

Optional. Enter the FortiSandbox password. This option is only available for a FortiSandbox appliance. When using a FortiSandbox appliance, the password is necessary to view detailed FortiSandbox reports on the Sandbox Events tab. See Viewing Sandbox event details.

Region

FortiClient Cloud Sandbox region. See Configuring FortiGuard Services settings.

Time Offset

FortiClient Cloud Sandbox time offset. See Configuring FortiGuard Services settings.

License Status

Displays the Sandbox Cloud license status. Using FortiClient Cloud Sandbox requires an additional license. See FortiClient EMS.

Inspection Mode

Select one of the following:

  • None: FortiClient does not send any files to FortiSandbox for inspection.
  • High-Risk Files: FortiClient inspects all supported high-risk files and sends to FortiSandbox as appropriate. The following are considered high-risk file types: exe, bat, vbs, js, htm, htm, gz, rar, tar, lzh, upx, zip, cab, bz2, 7z, pdf, xz, swf, rtf, dll, doc, xls, ppt, docx, xlsx, pptx, thmx, apk, exe, lnk, kgb, z, ace, jar, msi, mime, mac, dmg, mac, iso, elf, arj
  • All Supported Extensions: FortiClient inspects all supported file extensions and sends to FortiSandbox as appropriate. This option is only available for a FortiSandbox appliance.

Excluded File Extensions

Select a file extension to exclude from FortiSandbox scanning. You can select multiple file extensions.

Wait for FortiSandbox Results before Allowing File Access

Have the endpoint user wait for FortiSandbox scanning results before being allowed access to files. Set the timeout in seconds.

Deny Access to File When There Is No Sandbox Result

Deny access to downloaded files if there is no FortiSandbox result. This may happen if FortiSandbox is offline.

File Submission Options

All Files Executed from Removable Media

Submit all files executed on removable media, such as USB drives, to FortiSandbox for analysis.

All Files Executed from Mapped Network Drives

Submit all files executed from mapped network drives.

All Web Downloads

Submit all web downloads.

All Email Downloads

Submit all email downloads.

Remediation Actions

Action

Choose Quarantine or Alert & Notify for infected files. The user can access the file depending on Wait for FortiSandbox Results before Allowing File Access and Deny Access to File When There Is No Sandbox Result configuration. Whether FortiClient quarantines the file depends on if FortiSandbox reports the file as malicious and the FortiSandbox Detection Verdict Level setting.

FortiSandbox Detection Verdict Level

Select the desired detection verdict level. For FortiClient to apply the action selected in the Action field to an infected file, FortiSandbox must detect the file as this level or higher. For example, if Action is configured as Quarantine and FortiSandbox Detection Verdict Level is configured as Medium, FortiClient quarantines all infected files that FortiSandbox detects as Medium or a higher level (High or Malicious). FortiClient does not quarantine files for which FortiSandbox returns a verdict below this level (Low Risk or Clean).

Exceptions

Exclude Files from Trusted Sources

Exclude files signed by trusted sources from FortiSandbox submission. Following is a list of sources trusted by FortiSandbox:

  • Microsoft
  • Fortinet
  • Mozilla
  • Windows
  • Google
  • Skype
  • Apple
  • Yahoo!
  • Intel

Exclude Specified Folders/Files

Exclude specified folders/files from FortiSandbox submission. You must also create the exclusion list.

Inclusions

Include Specified Folders/Files

Include specified folders/files in FortiSandbox submission. You must also create the inclusion list.

Other

 

Hide Sandbox Scan from Windows Explorer's Context Menu

Hide Sandbox scan option from Windows Explorer's right-click context menu.

Notification Type

Select the desired notification type to display to end users when FortiClient Cloud Sandbox detects an infected file.

Note

In addition to the configuration above, you must also configure the connection to EMS on the FortiSandbox. In FortiSandbox, go to Scan Input > Devices, and search for and authorize EMS using its serial number. You can find the EMS serial number on the System Information widget on the Dashboard.