Fortinet black logo

Administration Guide

File Scan Flow

Copy Link
Copy Doc ID 7885f8f7-912a-11e9-81a4-00505692583a:198508
Download PDF

File Scan Flow

After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan will stop.

  1. Filtering and Static Scan

    In this step, the file will be scanned by the Anti Virus engine and the YARA rules engine. Its file type will be compared with the Scan Profile page > Job Queue tab settings to decide if it should be put in the job queue. If yes, it will be compared with the Black/White list and overridden verdict list.

    For certain file types, such as Office and PDF files, they will be scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs will be checked to see if the website is a malicious website.

  2. Community Cloud Query

    The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information will be downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.

  3. Sandboxing Scan

    If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file will be scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the sandboxing-prefiltering command.

File Scan Flow

After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan will stop.

  1. Filtering and Static Scan

    In this step, the file will be scanned by the Anti Virus engine and the YARA rules engine. Its file type will be compared with the Scan Profile page > Job Queue tab settings to decide if it should be put in the job queue. If yes, it will be compared with the Black/White list and overridden verdict list.

    For certain file types, such as Office and PDF files, they will be scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs will be checked to see if the website is a malicious website.

  2. Community Cloud Query

    The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information will be downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.

  3. Sandboxing Scan

    If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file will be scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the sandboxing-prefiltering command.