FortiSandbox is a key Fortinet product in providing an innovative Advanced Threat Protection (ATP) solution. Recommended by NSS Labs, FortiSandbox is designed to detect and analyze advanced targeted attacks designed to bypass traditional security defenses.
While traditional signature-based systems rely on predefined virus signatures to catch viruses, FortiSandbox looks at the construction of files for characteristics commonly found in viruses and emulates the execution looking for typical virus behavior. As a file is examined, the virus-like attributes are totaled. If a threshold in the number of virus-like attributes is passed, the file is marked as suspicious.
This recipe shows how to integrate FortiSandbox with FortiMail. As part of this integration, an AntiVirus profile on the FortiMail is created, allowing the FortiMail unit to send potentially harmful attachments to the FortiSandbox unit for further analysis.
The workflow below shows the scanning process.
Note that the supported file types and extensions that the FortiMail unit can submit to the FortiSandbox unit is dynamic, and can change depending on the version of the two products. Below is a list of all supported file types and extensions as of FortiMail 5.2.3 and FortiSandbox 2.0 and later:
- MS Word: docx, dotx, docm, dotm
- MS Excel: xlsx, xlsm, xltm, xlsb, xlam
- MS PowerPoint: pptx, ppsx, potx, sldx, pptm, ppsm, potm, ppam, sldm
- MS OneNote: onetoc
- MS Theme: thmx
- Java script file
- Windows executable files such as .scr, .dll, .com, and .exe
- Archive files: .RAR and .ZIP