File On-Demand
To view on-demand files and submit new files to be sandboxed, go to Scan Input > File On-Demand. You can drill down the information and apply search filters. You can select to create a PDF or CSV format snapshot report for all on-demand files. Search filters will be applied to the detailed report.
File On-Demand allows you to upload various file types directly to your FortiSandbox device. You can then view the results and decide whether or not to install the file on your network.
FortiSandbox has a rescan feature. When a Suspicious or Malicious file is detected, you can click the ReScan icon to rescan the file. This is useful when you want to understand the file's behavior being executed on the Microsoft Windows host. You can force the file to do Sandboxing scan even if was detected in former steps of Static Scan, AV Scan, Cloud Query, or stopped from entering VM by Sandboxing-prefilter setting. All rescanned jobs can be found in the On-Demand page.
You can select VM types to do the sandboxing by overwriting what is defined in the Scan Profile. When MACOSX or WindowsCloud VM is selected, the file will be uploaded to the cloud to be scanned. For password protected archive files or Microsoft Office files, write down all possible passwords. The default password list set in the Scan Policy > General page will also be used to extract the archive files.
All files submitted through the JSON API are treated as On-Demand files. Their results will also be shown on this page.
File On-Demand page - level 1
The following options are available:
Submit File |
Click the button to submit a new file. You can upload a regular or archived file. Six levels of file compression is supported. All files in the archive will be treated as a single file. |
Show Rescan Job |
Jobs generated from manual rescan can be shown/hidden by this option. |
Search |
Show or hide the search filter field. |
Add Search Filter |
Click the search filter field to add search filters. Click the cancel icon to the left of the search filter to remove the specific filter. Click the clear all filters icon in the search filter field to clear all filters. When the search filter is Filename, select the equal icon to toggle between exact search and pattern search. |
Refresh |
Click the refresh icon to refresh the entries displayed after applying search filters. |
Clear all removable filters |
Click the trash can icon to clear all removable filters. |
Export Data |
Click the Export Data button to create a PDF or CSV snapshot report. The time period of included jobs in the report depends on the selection of Time Period drop-down. You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center. |
View Jobs |
Click the icon to view the scan jobs associated with the entry. You can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page. |
Pagination |
Use the pagination options to browse entries displayed. |
This page displays the following information:
Submission Time |
The date and time that the file was submitted to FortiSandbox. Use the column filter to sort the entries in ascending or descending order. |
Submitted Filename |
The file name. |
Submitted By |
The name of the administrator that submitted the file. Use the column filter to sort the entries in ascending or descending order. |
Rating |
Hover over the icon to view the file rating. The rating can be one or more of the following: Clean, Low Risk, Medium Risk, High Risk, Malicious, or Other. For archive files, the possible ratings of all files in the archive are displayed. During the file scan, the rating is displayed as N/A. If a scan times out or is terminated by the system, the file will have an Other rating. |
Status |
The scan status can be Queued, In-Process, or Done. |
File Count |
The number of files associated with the entry. It is in the format of (finished file count)/(total files of this submission) when the scan is In-Progress. When the scan is done, it will display the total number of files in this submission. |
Comments |
The comments user enters when submitting the file. |
Rescan Job |
This icon indicates that this file is a rescanned version of another file. |
Archive Submission |
This icon indicates that an archived file has been submitted for scanning. |
Total Jobs |
The number of jobs displayed and the total number of jobs. |
After a file is submitted, the file might not be visible immediately until the file, or any file, inside an archive file is put into a job queue. In a cluster setting, the file will not be visible until the file is put into a slave node's job queue. |
To view the scan job(s) associated with the entry:
- Click the View Jobs icon or double click on the row. The view jobs page is displayed.
In this page you can view detailed information for files scanned. If the file is an archive file, all files in the archive are displayed in this page.
- This page displays the following information and options:
Back
Click the Back button to return to the On Demand page.
Search
Show or hide the search filter field.
Refresh
Click the Refresh icon to refresh the entries displayed after applying search filters.
Add Search Filter
Click the search filter field to add search filters. Click the Cancel icon to the left of the search filter to remove the specific filter.
When the search filter is Filename, select the Equal icon to toggle between exact search and pattern search.
View Details
Click the View Details icon to view file information. The information displayed in the view details page is dependent on the file type and risk level.
Scan Video
When the scan is submitted, if Record scan process in video is selected, a video icon is displayed. Clicking it will allow the user to select one VM type in which the scan is done and recorded. Select the VM type to play the video or save it to a local hard disk.
The order of displayed columns is determined by the settings defined in the System > Job View Settings > File Detection Columns page. For more information, refer to Job View Settings.
Pagination
Use the pagination options to browse entries displayed.
- Click the View Details icon to view file details. The View Details page will open a new tab. See Appendix A - View Details page reference for descriptions of the View Details page.
- Click the parent job ID icon to view rescan file details.
If the parent job is an archive file, the childrens' file names are included in the Archive Files dropdown list. Select a child's file name to view its detail.
- Close the tab to exit the View Details page.
To create a snapshot report for all on-demand files:
- Select a time period from the first dropdown list.
- Select to apply search filters to further drill down the information in the report.
- Click the Export Data button in the toolbar, opening the Report Generator window.
- Select PDF or CSV.
- Click the Generate Report button to create the report.
You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.
- Click the Close icon or the Cancel button to quit the report generator.
In this release, the maximum number of events you can export to a PDF report is 1000; the maximum number of events you can export to a CSV report is 15000. Jobs over that limit will not be included in report. |
To submit a file to FortiSandbox:
- Click the Submit File button from the toolbar.
- You can configure the following:
Select a File
Click the Browse button and locate the sample file or archived sample file on your management computer.
Possible password(s) for archive/office file
List all possible passwords to extract password protected archive file, or open password protected Microsoft Office file. One password per line. Default password list set in the Scan Policy > General page will also be used to extract the archive files.
Comments
Optional comments for future reference.
Force to scan the file inside VM
Enable to select advanced options.
Follow VM Association Settings in Scan Profile
If the sandboxing step is not skipped, the file will be sent to its associated VMs defined in Scan Profile.
Force to Scan Inside the Following VMs
Overwrite VM association settings in Scan Profile by selecting one or more of the enabled VMs.
Allow Interaction
Select the Allow Interaction checkbox to interact with the Windows VM. See To use the Allow Interaction Feature: for more information.
Record scan process in video if VMs involve
Select to enable video recording. After scan finishes, a video icon will show in the File On-Demand second level detail page. Clicking it will trigger a download or play the video.
Add sample to threat package
If result matches malware package requirement, add scan result to threat package.
- Click the Submit button. A confirmation dialog box will be displayed. Click OK to continue. The file will be uploaded to FortiSandbox for inspection.
- Click the Close button to exit.
The file will be listed in the On-Demand page. Once FortiSandbox has completed its analysis, you can select to view the file details.
To use the Allow Interaction Feature:
- Go to Scan Input > File On-Demand and click Submit File in the toolbar.
- In the Submit New File window, check the Allow Interaction checkbox.
When selected, only one VM can be specified. - Click Submit.
- Go to the Virtual Machine > VM Status page, the job will be launched when a clone of a selected VM is available.
There are two ways to interact with the windows VM:
- Use a VNC client and connect to
fsa_ip:port
. The port number can be found in the Interaction icon tooltip. Click the Interaction icon, the login password will appear in the address bar. - Click the Interaction icon to use web based VNC client. Click Yes in the Do you want to start the scan? popup, the scan will start and the question becomes Do you want to stop the scan?
Click Yes to stop the scan and the VNC session will close after a few seconds. Go back to the On-Demand page to check the scan result.
The user has 30 minutes to finish the interaction. After that, the VNC session will be closed automatically. |
VM Interaction and Scan video recording features are only available to users whose admin profile has Allow On-Demand Scan Interaction enabled. |