Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 4.4.4 Administration Guide
    4.4.4
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    File types

    File types

    FortiSandbox supports the following file types by default.

    Executables

    BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

    Most DLL files cannot be executed within a VM. You can enable pre-filtering with the following CLI command:

    sandboxing-prefilter -e -tdll

    Only the DLL files which can be executed inside a VM are put into the Job Queue.

    Archives

    7Z, ACE, ARJ, BZ2, CAB, GZ, ISO, KGB, LZH, RAR, TAR, TGZ, XZ, Z, and ZIP.

    Extraction is limited by the following conditions:

    • Number of child files to extract. Default is 1000 and is configurable by prescan-config
    • Total file size of child files to extract, configurable by filesize-limit

    • Time spent to extract child files. Default timeout value is 15s for regular files(<=512M) and 600s for large files (>512M), the value is configurable by prescan-config

    Microsoft Office

    Microsoft Word (.doc, .docm, .docx, .dot, .dotm and .dotx), Microsoft Excel (.xls, .xis, .xlam, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx), Microsoft PowerPoint (.pot, .potm, .potx, .ppt, .pptm, .pptx, .ppam, .pps, .ppsm, .ppsx, .sldm, .sldx), Microsoft Publisher (.pub), Microsoft OneNote (.one), Microsoft Web Query Files (.iqy), Rich Text Format (.rtf)

    Adobe

    Flash, PDF, and SWF.

    Static Web Files

    HTML, JS, LNK, and URL.

    Android File

    APK

    MACOSX Files

    Mac (MACH_O, FATMACH, XAR, and APP files) and dmg (DMG) files.

    WEBLink

    URLs submitted by FortiMail devices or sniffed from email body by sniffer.
    note icon

    You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

    Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FortiSandbox when the .eml file is attached inside an email. FortiSandbox parses the .eml file to extract its attachments and perform file scans.

    When sandboxing-embeddedurl is enabled, the top three URLs inside the email body are extracted and scanned along with the .eml inside the same VM. If the URL is a direct download link, the file is downloaded and sent with the URL to be scanned.

    This feature is useful when you want to scan older emails when they are loaded to FortiSandbox, such as through an On-Demand scan or Network Share scan.

    By default, FortiMail holds a mail item for a time to wait for the FortiSandbox verdict. Before FortiSandbox scans a file or URL sent from FortiMail, it checks if FortiMail still needs the verdict as FortiMail might have already released the email after time out. If not, FortiSandbox gives the job an Unknown rating and skipped status.

    Use the CLI command fortimail-expired to enable or disable this expiration check.

    To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files are uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.
    Previous
    Next

    File types

    File types

    FortiSandbox supports the following file types by default.

    Executables

    BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

    Most DLL files cannot be executed within a VM. You can enable pre-filtering with the following CLI command:

    sandboxing-prefilter -e -tdll

    Only the DLL files which can be executed inside a VM are put into the Job Queue.

    Archives

    7Z, ACE, ARJ, BZ2, CAB, GZ, ISO, KGB, LZH, RAR, TAR, TGZ, XZ, Z, and ZIP.

    Extraction is limited by the following conditions:

    • Number of child files to extract. Default is 1000 and is configurable by prescan-config
    • Total file size of child files to extract, configurable by filesize-limit

    • Time spent to extract child files. Default timeout value is 15s for regular files(<=512M) and 600s for large files (>512M), the value is configurable by prescan-config

    Microsoft Office

    Microsoft Word (.doc, .docm, .docx, .dot, .dotm and .dotx), Microsoft Excel (.xls, .xis, .xlam, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx), Microsoft PowerPoint (.pot, .potm, .potx, .ppt, .pptm, .pptx, .ppam, .pps, .ppsm, .ppsx, .sldm, .sldx), Microsoft Publisher (.pub), Microsoft OneNote (.one), Microsoft Web Query Files (.iqy), Rich Text Format (.rtf)

    Adobe

    Flash, PDF, and SWF.

    Static Web Files

    HTML, JS, LNK, and URL.

    Android File

    APK

    MACOSX Files

    Mac (MACH_O, FATMACH, XAR, and APP files) and dmg (DMG) files.

    WEBLink

    URLs submitted by FortiMail devices or sniffed from email body by sniffer.
    note icon

    You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

    Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FortiSandbox when the .eml file is attached inside an email. FortiSandbox parses the .eml file to extract its attachments and perform file scans.

    When sandboxing-embeddedurl is enabled, the top three URLs inside the email body are extracted and scanned along with the .eml inside the same VM. If the URL is a direct download link, the file is downloaded and sent with the URL to be scanned.

    This feature is useful when you want to scan older emails when they are loaded to FortiSandbox, such as through an On-Demand scan or Network Share scan.

    By default, FortiMail holds a mail item for a time to wait for the FortiSandbox verdict. Before FortiSandbox scans a file or URL sent from FortiMail, it checks if FortiMail still needs the verdict as FortiMail might have already released the email after time out. If not, FortiSandbox gives the job an Unknown rating and skipped status.

    Use the CLI command fortimail-expired to enable or disable this expiration check.

    To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files are uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.
    Previous
    Next