Fortinet black logo

Administration Guide

File Scan Flow

Copy Link
Copy Doc ID 82d3214f-998a-11eb-b70b-00505692583a:198508
Download PDF

File Scan Flow

After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan stops.

  1. Filtering and Static Scan

    In this step, the file is scanned by the AntiVirus engine and the YARA rules engine. Its file type is compared with the Scan Profile page > Job Queue tab settings to decide if it should be put in the job queue. If yes, it is compared with the allowlist and blocklist and overridden verdict list.

    For certain file types, such as Office and PDF files, they are scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs are checked to see if the website is a malicious website.

  2. Community Cloud Query

    The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information are downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.

  3. Sandboxing Scan

    If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file is scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the sandboxing-prefiltering command.

File Scan Flow

After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan stops.

  1. Filtering and Static Scan

    In this step, the file is scanned by the AntiVirus engine and the YARA rules engine. Its file type is compared with the Scan Profile page > Job Queue tab settings to decide if it should be put in the job queue. If yes, it is compared with the allowlist and blocklist and overridden verdict list.

    For certain file types, such as Office and PDF files, they are scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs are checked to see if the website is a malicious website.

  2. Community Cloud Query

    The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information are downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.

  3. Sandboxing Scan

    If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file is scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the sandboxing-prefiltering command.