Fortinet white logo
Fortinet white logo

Administration Guide

File types

File types

FortiSandbox, by default, supports the following file types:

Executables

BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

Most DLL files cannot be executed within a VM. You can enable pre-filtering with the following CLI command:

sandboxing-prefilter -e -tdll

Only the DLL files which can be executed inside a VM are put into the Job Queue.

Archives

7Z, ARB, BZIP, BZIP2, CAB, ISO, EML, GZIP, LZW, RAR, TAR, XZ, ZIP, and more.

Archive files are extracted up to six levels and each file inside are scanned according to the Scan Profile settings. The maximum number of files extracted are:

  • On-Demand input: 10000
  • JSON API: 1000
  • All other input sources: 100

Microsoft Office

Word, Excel, PowerPoint, Outlook, and more.

Adobe

PDF, SWF, and Flash.

Static Web Files

HTML, JS, URL, and LNK.

Android File

APK.

MACOSX Files

MACH_O, FATMACH, DMG, XAR, Linux, and APP.

WEBLink

URLs submitted by FortiMail devices or sniffed from email body by sniffer.

note icon

You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FortiSandbox when the .eml file is attached inside an email. FortiSandbox parses the .eml file to extract its attachments and perform file scans.

When sandboxing-embeddedurl is enabled, the top three URLs inside the email body are extracted and scanned along with the .eml inside the same VM. If the URL is a direct download link, the file is downloaded and sent with the URL to be scanned.

This feature is useful when you want to scan older emails when they are loaded to FortiSandbox, such as through an On-Demand scan or Network Share scan.

By default, FortiMail holds a mail item for a time to wait for the FortiSandbox verdict. Before FortiSandbox scans a file or URL sent from FortiMail, it checks if FortiMail still needs the verdict as FortiMail might have already released the email after time out. If not, FortiSandbox gives the job an Unknown rating and skipped status.

Use the CLI command fortimail-expired to enable or disable this expiration check.

To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files are uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.

File types

File types

FortiSandbox, by default, supports the following file types:

Executables

BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

Most DLL files cannot be executed within a VM. You can enable pre-filtering with the following CLI command:

sandboxing-prefilter -e -tdll

Only the DLL files which can be executed inside a VM are put into the Job Queue.

Archives

7Z, ARB, BZIP, BZIP2, CAB, ISO, EML, GZIP, LZW, RAR, TAR, XZ, ZIP, and more.

Archive files are extracted up to six levels and each file inside are scanned according to the Scan Profile settings. The maximum number of files extracted are:

  • On-Demand input: 10000
  • JSON API: 1000
  • All other input sources: 100

Microsoft Office

Word, Excel, PowerPoint, Outlook, and more.

Adobe

PDF, SWF, and Flash.

Static Web Files

HTML, JS, URL, and LNK.

Android File

APK.

MACOSX Files

MACH_O, FATMACH, DMG, XAR, Linux, and APP.

WEBLink

URLs submitted by FortiMail devices or sniffed from email body by sniffer.

note icon

You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FortiSandbox when the .eml file is attached inside an email. FortiSandbox parses the .eml file to extract its attachments and perform file scans.

When sandboxing-embeddedurl is enabled, the top three URLs inside the email body are extracted and scanned along with the .eml inside the same VM. If the URL is a direct download link, the file is downloaded and sent with the URL to be scanned.

This feature is useful when you want to scan older emails when they are loaded to FortiSandbox, such as through an On-Demand scan or Network Share scan.

By default, FortiMail holds a mail item for a time to wait for the FortiSandbox verdict. Before FortiSandbox scans a file or URL sent from FortiMail, it checks if FortiMail still needs the verdict as FortiMail might have already released the email after time out. If not, FortiSandbox gives the job an Unknown rating and skipped status.

Use the CLI command fortimail-expired to enable or disable this expiration check.

To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files are uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.