Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

File types

FortiSandbox, by default, supports the following file types:

Executables

BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

Most DLL files cannot be executed within a VM, it is recommended to turn on its Pre-Filtering with the following CLI command:

sandboxing-prefilter -e -tdll

Only the DLL files which can be executed inside a VM will be put into the Job Queue.

Archives

7Z, ARB, BZIP, BZIP2, CAB, ISO, EML, GZIP, LZW, RAR, TAR, XZ and more.

Archive files will be extracted up to six levels and each file inside will be scanned according to Scan Profile settings. The max file number extracted:

  • On-Demand input: 10,000
  • JSON API: 1,000
  • All other input sources: 100

Microsoft Office

Word, Excel, PowerPoint, Outlook and more.

Adobe

PDF, SWF, and Flash.

Static Web Files

HTML, JS, URL, and LNK.

Android File

APK.

MACOSX Files

MACH_O, FATMACH, DMG, XAR, and APP.

WEBLink

URLs submitted by FortiMail devices or sniffed from email body by sniffer.

note icon

You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FSA when the .eml file is attached inside an email. FSA will parse the .eml file to extract its attachments and perform file scans.

When sandboxing-embeddedurl is enabled, the top three URLs inside the email body will be extracted and scanned along with the .eml inside the same VM.

This feature is useful when user wants to scan older emails when they are loaded to FSA, such as through an On-Demand scan or Network Share scan.

By default, FortiMail will hold a mail for a set period to wait for the verdict from FortiSandbox. Before FortiSandbox scans a file or URL sent from FortiMail, it will check if the verdict is still needed by FortiMail, as FortiMail might already release the email after time out. If not, FortiSandbox will give the job an Unknown rating and skipped status.

Users can use CLI command fortimail-expired to enable or disable this expiration check.

To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files will be uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.

File types

FortiSandbox, by default, supports the following file types:

Executables

BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

Most DLL files cannot be executed within a VM, it is recommended to turn on its Pre-Filtering with the following CLI command:

sandboxing-prefilter -e -tdll

Only the DLL files which can be executed inside a VM will be put into the Job Queue.

Archives

7Z, ARB, BZIP, BZIP2, CAB, ISO, EML, GZIP, LZW, RAR, TAR, XZ and more.

Archive files will be extracted up to six levels and each file inside will be scanned according to Scan Profile settings. The max file number extracted:

  • On-Demand input: 10,000
  • JSON API: 1,000
  • All other input sources: 100

Microsoft Office

Word, Excel, PowerPoint, Outlook and more.

Adobe

PDF, SWF, and Flash.

Static Web Files

HTML, JS, URL, and LNK.

Android File

APK.

MACOSX Files

MACH_O, FATMACH, DMG, XAR, and APP.

WEBLink

URLs submitted by FortiMail devices or sniffed from email body by sniffer.

note icon

You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FSA when the .eml file is attached inside an email. FSA will parse the .eml file to extract its attachments and perform file scans.

When sandboxing-embeddedurl is enabled, the top three URLs inside the email body will be extracted and scanned along with the .eml inside the same VM.

This feature is useful when user wants to scan older emails when they are loaded to FSA, such as through an On-Demand scan or Network Share scan.

By default, FortiMail will hold a mail for a set period to wait for the verdict from FortiSandbox. Before FortiSandbox scans a file or URL sent from FortiMail, it will check if the verdict is still needed by FortiMail, as FortiMail might already release the email after time out. If not, FortiSandbox will give the job an Unknown rating and skipped status.

Users can use CLI command fortimail-expired to enable or disable this expiration check.

To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files will be uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.