FortiSandbox
Not every piece of malware has a signature. This is especially true of new malware and variations on existing malware. FortiOS can upload suspicious files to FortiSandbox for sandbox inspection. When a FortiGate uses sandbox inspection, files are sent to the FortiSandbox. Then the FortiSandbox uses virtual machines (VMs) running different operating systems to test the file, to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to both the local FortiGate malware database and the FortiGuard AntiVirus signature database.
A file is deemed suspicious when it does not contain a known threat but has characteristics that suggest it may be malware. The characteristics that determine if a file is suspicious are updated by Fortinet to reflect the current threat climate.
FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiCloud).
To configure an AntiVirus profile to send files to FortiSandbox, first verify that your FortiSandbox appliance is configured or that your FortiCloud account is active. Then go to Security Profiles > AntiVirus and enter the desired Inspection Options.
Sandbox inspection assists in the discovery of new threats and the creation of new signatures to be added to the global FortiGuard AntiVirus database. Files deemed malicious are immediately added to a custom Malware Package, which the FortiGate downloads every two minutes for live detection.
The Advanced Threat Protection Statistics dashboard widget displays the number of files that your FortiGate unit has uploaded or submitted to FortiSandbox. To see FortiSandbox statistics for the last 7 days, go to Fortinet Security Fabric> Settings.
Option for "Suspicious Files Only" for FortiSandbox submissions
Beginning in FortiOS 6.0.1, FortiGates can use the FortiSandbox Cloud service as part of the AntiVirus subscription. In order to reduce client upload bandwidth usage and general load on the FortiSandbox service, a new "Suspicious Files Only" upload option has been added to the AntiVirus profile, which previously only had "None" and "All Supported Files".
In order to enforce best practices, "None" is now the default.
Syntax
config antivirus profile
edit <profile name>
set ftgd-analytics [disable|suspicious|everything]
end