Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Scan Profile Advanced Tab

Use the Advanced page to define advanced features for file/URL detection.

Enable Adaptive VM Scan

Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs.

Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones.

A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones.

An enabled local VM has at least one clone. At any time, the number of assignable clones cannot be less than 0.

Note

FortiSandbox-AWS, FortiSandbox-Azure, and FortiSandbox-HyperV do not support Adaptive Scan.

Enable Parallel VM Scan

Normally, a job is scanned in VM in sequence if the file type is associated with a different VM. Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job.

The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

Enhance VM Scan Ratio

Enable this option to allow a customized ratio for jobs that are scanned in VM. The ratio is a low bound for the jobs that need to be scanned in VM, meaning that the percentage of jobs scanned in VM can be equal to or higher than the preset ratio.

To configure this option, enable Set customized sandboxing ratio and set a ratio between 1 and 100.

This option is an extra filter that sends a job to the VM. When not enabled, the VM scan is skipped.

This option does not affect jobs that should normally be scanned in VM. Those jobs are still VM scanned.

In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in about the last one hour. This lets you see how many files were scanned in VM in the last hour.

VM scan ratio calculation

The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.

Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So the current job will be sent to VM.

Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So this job won’t be sent to VM.

Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.

Cache VM Scan Results

Enable this option to allow VM scan cache.

File detection timeout

FortiSandbox supports a customized timeout value to control the tracer running time in VM.

Currently, MAC OSX and Windows Cloud VM do not support file detection.

To configure file detection timeout:
  1. Go to Scan Policy and Object > Scan Profile > Advanced.
  2. Enable File detection timeout and enter a Default Timeout value between 60 and 180 seconds.

    A shorter Default Timeout value gives better performance and faster scan speed, but lowers accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range.

  3. Click Apply.

    The Scan results shows the VM Scan time.

URL detection timeout

If this option is enabled, FortiSandbox scans URLs (WEBLinks). You can also specify the Default Timeout setting (from 30 to 1200 seconds).

If this option is not enabled, the default timeout is 60 seconds.

URL depth limit

Enable this option to examine the recursive depth of URLs (from 1 to 5).

If this option is not enabled, only the URL itself is examined.

URL content limit

Enable this option to specify the maximum number of URLs from 1 to 10000.

If this option is not enabled, the maximum number of URLs is unlimited

Enable Rating Cloud Service

Enable this option to enhance the rating of the submission by using the rating engine and supervised machine learning in the cloud. The result provides a better detection rate.

Enable Code Emulator

Enable this option to forward the Windows executable submitted file for emulation to find traces of malicious code.

Scan Profile Advanced Tab

Use the Advanced page to define advanced features for file/URL detection.

Enable Adaptive VM Scan

Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs.

Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones.

A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones.

An enabled local VM has at least one clone. At any time, the number of assignable clones cannot be less than 0.

Note

FortiSandbox-AWS, FortiSandbox-Azure, and FortiSandbox-HyperV do not support Adaptive Scan.

Enable Parallel VM Scan

Normally, a job is scanned in VM in sequence if the file type is associated with a different VM. Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job.

The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.

Enhance VM Scan Ratio

Enable this option to allow a customized ratio for jobs that are scanned in VM. The ratio is a low bound for the jobs that need to be scanned in VM, meaning that the percentage of jobs scanned in VM can be equal to or higher than the preset ratio.

To configure this option, enable Set customized sandboxing ratio and set a ratio between 1 and 100.

This option is an extra filter that sends a job to the VM. When not enabled, the VM scan is skipped.

This option does not affect jobs that should normally be scanned in VM. Those jobs are still VM scanned.

In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in about the last one hour. This lets you see how many files were scanned in VM in the last hour.

VM scan ratio calculation

The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.

Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So the current job will be sent to VM.

Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So this job won’t be sent to VM.

Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.

In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.

Cache VM Scan Results

Enable this option to allow VM scan cache.

File detection timeout

FortiSandbox supports a customized timeout value to control the tracer running time in VM.

Currently, MAC OSX and Windows Cloud VM do not support file detection.

To configure file detection timeout:
  1. Go to Scan Policy and Object > Scan Profile > Advanced.
  2. Enable File detection timeout and enter a Default Timeout value between 60 and 180 seconds.

    A shorter Default Timeout value gives better performance and faster scan speed, but lowers accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range.

  3. Click Apply.

    The Scan results shows the VM Scan time.

URL detection timeout

If this option is enabled, FortiSandbox scans URLs (WEBLinks). You can also specify the Default Timeout setting (from 30 to 1200 seconds).

If this option is not enabled, the default timeout is 60 seconds.

URL depth limit

Enable this option to examine the recursive depth of URLs (from 1 to 5).

If this option is not enabled, only the URL itself is examined.

URL content limit

Enable this option to specify the maximum number of URLs from 1 to 10000.

If this option is not enabled, the maximum number of URLs is unlimited

Enable Rating Cloud Service

Enable this option to enhance the rating of the submission by using the rating engine and supervised machine learning in the cloud. The result provides a better detection rate.

Enable Code Emulator

Enable this option to forward the Windows executable submitted file for emulation to find traces of malicious code.