Scan Profile Advanced Tab
Use the Advanced tab to define advanced features for file/URL detection.
Scan Enhancements | |||
Adaptive Scan |
Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs. Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs. In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones. A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones. An enabled local VM has at least one clone. The number of assignable clones cannot be less than 0 at any time.
|
||
Code Emulator |
Enable this option to forward the Windows executable submitted file for emulation to find traces of malicious code. |
||
Parallel VM Scan |
Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job. Normally, a job is scanned in the VM in sequence if the file type is associated with a different VM. The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen. In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. |
||
Pipeline Mode |
Enable this option to improve performance and accelerate the scan by reducing the time spent on VM instance starts and shutdowns. This means that jobs can be scanned in a VM instance one at a time without shutting down the instance. A guest VM instance can only be reused when the scanning job won’t change the VM instance status. If the guest VM status has been changed, the VM instance will be shut down and restored for the next job. If a job is rated malicious or suspicious in a pipeline mode VM instance, the job is rescanned in a fresh restored VM to secure a final rating. When a file is scanned in Pipeline Mode VM clone, the Job Details overview page will indicate the launched pipeline mode clone, (for example, Pipeline mode OS:WIN7X86VM). If debug level log is enabled, Job Event will show the number of jobs scanned in Pipeline Mode VM clone, (for example, WIN7X86VM_clone065 is in pipeline and has scanned 2 jobs. See, Logging Levels. Pipeline mode VM clone can scan files and URLs. However, on demand jobs will not use pipeline mode VM clone. In addition, executable files from any source will not use pipeline mode VM clone.
|
||
VM Scan Ratio |
Enable this option to allow a customized ratio for jobs that are scanned in the VM. The ratio is a low bound for the jobs that need to be scanned, meaning the percentage of jobs scanned in the VM can be equal to or higher than the preset ratio. This option:
For more information, see Scan Profile Advanced Tab |
||
Rescan of completed jobs | AV signature updates are frequent (every hour). Running an AV rescan against finished jobs of the last 24 hours could hinder performance. You have the option to disable the AV Rescan to improve performance. | ||
Community Cloud Query |
By default the Cloud Query is enabled. Disable the Cloud Query in the following scenarios:
|
||
Cloud Rating Service | Enable this option to enhance the rating of the submission to provide a better detection rate by utilizing the Rating Engine and supervised Machine Learning in the cloud. When enabled, the local verdict and rating log are sent to the cloud. The original submitted file is not included. | ||
Real-Time Zero-Day Anti-Phishing Service |
Enable this option to allow FortiSandbox to use this subscription-based service to scan a URL for phishing and spam in real-time. See, Real-Time Zero-Day Anti-Phishing Service. This option can also be enabled by running the following CLI command: |
||
Limits and Timeouts |
|||
URL depth limit |
Enable this option to examine the recursive depth of URLs (from 1 to 5). When this option is disabled, only the URL itself is examined. |
||
URL content limit |
Enable this option to specify the maximum number of URLs from 1 to 10000. When this option is disabled, the maximum number of URLs is unlimited. |
||
VM Scan timeout for executable file |
FortiSandbox supports a customized timeout value to control the tracer running time for executable files in the VM. If a zip file is sent to the VM while it has executable children, it will use this timeout value as well. The accepted value is between 60 to 180 seconds. The default value is 180 seconds. |
||
VM Scan timeout for documents and other non-executable files |
FortiSandbox supports a customized timeout value to control the tracer running time in the VM. Currently, MAC OSX and Windows Cloud VM do not support file detection timeout. The default value is 60 seconds. For more information, see Configure VM Scan timeout for document and other non-executable file |
||
VM Scan timeout for URL |
When URL detection is enabled, FortiSandbox scans URLs (WEBLinks). You can also specify the timeout setting (from 30 to 1200 seconds). When this option is disabled, the default timeout is 60 seconds. |
||
Additional Options |
|||
Default Password-protected archive files |
Define a list of passwords that can be tried to extract archive files. Input passwords line by line. A maximum of 30 passwords is allowed.
|
||
Default Password-protected PDF/Office files | User can define one password for PDF and Office files. | ||
Reject duplicate files from Security Fabric Device |
When enabled, FortiSandbox will directly return the existing verdict for a duplicate file if the current scan environment (including AVDB, block/allow list, scan profile, etc.) has not changed since the original file was scanned. If the scan environment has changed, the duplicate file will be rescanned under the new conditions. |
||
Feedback Options |
|||
Contribute detected suspicious files to FortiSandbox Community Cloud | Enable to upload malicious and suspicious file and URL information to the Sandbox Community Cloud. If enabled, the original file/URL, file/URL checksum, tracer log, verdict, submitting device serial number, and downloading URL are uploaded. | ||
Contribute detected suspicious URL to FortiGuard | Enable to submit malware downloading URL to the FortiGuard Web Filter Service. | ||
Upload detection statistics to FortiGuard | Enable to upload statistics to FortiGuard. If enabled, the following are uploaded: submitting device serial number and firmware, job-related results and statistics. |
To enhance the VM Scan Ration:
Enable Set customized sandboxing ratio and set a ratio between 1 and 100.
In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in approximately the last hour. This lets you see how many files were scanned in the VM in the last hour.
VM scan ratio calculation
The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.
Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So the current job will be sent to the VM.
Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So this job won’t be sent to the VM.
Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.
In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.
Cache Dynamic Scan Results
Enable this option to allow VM scan cache.
Configure VM Scan timeout for document and other non-executable file
FortiSandbox supports a customized timeout value to control the tracer running time in the VM.
Currently, MAC OSX and Windows Cloud VM do not support file detection timeout.
To configure file detection timeout:
- Go to Scan Policy and Object > Scan Profile > Advanced.
- Enable VM Scan timeout for document and other non-executable file and enter a timeout value.
A shorter Default Timeout value provides better performance and faster scan speed, but lower accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range for normal model. Higher-end models (2000E/3000E/3000F/1500G), allows 45-180 second range.
- Click Apply. The Scan results shows the VM Scan time.
WhenVM Scan timeout for non-executable file is, the non-executable files will display the timeout value in Job Detail Overview page, for
Timeout Value:111 seconds
.
The Dynamic Scan or VM Scan timeout is the maximum runtime of the VM. The VM Scan may shorten the duration when the file or URL finish execution.
Real-Time Zero-Day Anti-Phishing Service
To configure the server settings:
go to System > FortiGuard. For information, see FortiGuard.
To troubleshoot the Real-Time Zero-Day Anti-Phishing Service:
Use the CLI command diagnose-debug anti-phishing
to troubleshoot the following issues:
-
Server connection status
-
Server return rating result
-
Downloading screen shots
For more information, see the FortiSandbox CLI Reference Guide.