Fortinet black logo

Administration Guide

File Scan Flow

Copy Link
Copy Doc ID af12b5b0-1c45-11ea-9384-00505692583a:198508
Download PDF

File Scan Flow

After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan will stop.

  1. Filtering and Static Scan

    In this step, the file is scanned by the antivirus engine and the YARA rules engine. Its file type is checked against the Scan Profile page > Job Queue tab settings to decide if it should be put in the job queue. If yes, it is checked against the blocklist/allowlist (black/white list) and overridden verdict list.

    For some file types, such as Office and PDF files, they are scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs are checked to see if the website is malicious.

  2. Community Cloud Query

    The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information will be downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.

  3. Sandboxing Scan

    If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file will be scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the sandboxing-prefiltering command.

File Scan Flow

After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan will stop.

  1. Filtering and Static Scan

    In this step, the file is scanned by the antivirus engine and the YARA rules engine. Its file type is checked against the Scan Profile page > Job Queue tab settings to decide if it should be put in the job queue. If yes, it is checked against the blocklist/allowlist (black/white list) and overridden verdict list.

    For some file types, such as Office and PDF files, they are scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs are checked to see if the website is malicious.

  2. Community Cloud Query

    The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information will be downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.

  3. Sandboxing Scan

    If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file will be scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the sandboxing-prefiltering command.