Fortinet white logo
Fortinet white logo

Administration Guide

Verify the FortiSandbox Analysis

Verify the FortiSandbox Analysis

Fortinet provides sample files that you can use to test FortiSandbox. These samples are dynamically created and only a behavioral analysis (known as Dynamic VM Scan) can detect a malicious behavior. To test the analysis, download the malware sample file, submit the file for analysis, and review the job report.

To verify FortiSandbox analysis:

1. Configure your scan profile

In FortiSandbox, go to Scan Policy and Object > Scan Profile and configure the Scan Profile. See Scan Policy and Object.

For the samples to work, the following settings must be enabled:

  • In the Pre-Filter tab under Process the following selected file types, ensure Executables and Linux files are enabled. See Scan Profile Pre-Filter Tab.
  • In the VM Association tab, ensure the following extensions are associated with the VM:
    • Windows: bat and exe
    • Ubuntu: sh and elf

    See Scan Profile VM Association Tab.

2. Download the sample files from FortiGuard Labs.
    1. In your browser, go to the FortiGuard Sample Files page (https://www.fortiguard.com/sample-files).
    2. In the Behavioral-based samples to be detected by a sandbox: column, select one of the following sample files:
      • Windows Executable
      • Windows Batch Script
      • Linux ELF Program
      • Linux CLI Script

      The Linux files are only detectable inside a Linux VM.

3. Scan the sample files in FortiSandbox
    1. In FortiSandbox, go to Scan Job > File On-Demand
    2. Click Submit File and upload the file.
    3. Wait for the job to scan and click View Details > View Job Detail.
    4. In the Indicators area, verify The file downloads or drops virus files is displayed. The other indicators will vary depending on the sample.
Note

Some files may not be detected by Static Scan. This prevents FortiSandbox from seeing the dropped virus which is only detected inside the VM.

If the Indicators do not display The file downloads or drops virus files, resubmit the file with Force to scan the file inside VM enabled.

Indicators examples

The following images show the indicators for each of the file samples.

Windows Executable

Windows Batch Script

Linux ELF Program

Linux CLI Script

Verify the FortiSandbox Analysis

Verify the FortiSandbox Analysis

Fortinet provides sample files that you can use to test FortiSandbox. These samples are dynamically created and only a behavioral analysis (known as Dynamic VM Scan) can detect a malicious behavior. To test the analysis, download the malware sample file, submit the file for analysis, and review the job report.

To verify FortiSandbox analysis:

1. Configure your scan profile

In FortiSandbox, go to Scan Policy and Object > Scan Profile and configure the Scan Profile. See Scan Policy and Object.

For the samples to work, the following settings must be enabled:

  • In the Pre-Filter tab under Process the following selected file types, ensure Executables and Linux files are enabled. See Scan Profile Pre-Filter Tab.
  • In the VM Association tab, ensure the following extensions are associated with the VM:
    • Windows: bat and exe
    • Ubuntu: sh and elf

    See Scan Profile VM Association Tab.

2. Download the sample files from FortiGuard Labs.
    1. In your browser, go to the FortiGuard Sample Files page (https://www.fortiguard.com/sample-files).
    2. In the Behavioral-based samples to be detected by a sandbox: column, select one of the following sample files:
      • Windows Executable
      • Windows Batch Script
      • Linux ELF Program
      • Linux CLI Script

      The Linux files are only detectable inside a Linux VM.

3. Scan the sample files in FortiSandbox
    1. In FortiSandbox, go to Scan Job > File On-Demand
    2. Click Submit File and upload the file.
    3. Wait for the job to scan and click View Details > View Job Detail.
    4. In the Indicators area, verify The file downloads or drops virus files is displayed. The other indicators will vary depending on the sample.
Note

Some files may not be detected by Static Scan. This prevents FortiSandbox from seeing the dropped virus which is only detected inside the VM.

If the Indicators do not display The file downloads or drops virus files, resubmit the file with Force to scan the file inside VM enabled.

Indicators examples

The following images show the indicators for each of the file samples.

Windows Executable

Windows Batch Script

Linux ELF Program

Linux CLI Script