Fortinet white logo
Fortinet white logo

Administration Guide

File types

File types

FortiSandbox supports the following file types by default.

Executables

BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

Most DLL files cannot be executed within a VM. You can enable pre-filtering with the following CLI command:

sandboxing-prefilter -e -tdll

Only the DLL files which can be executed inside a VM are put into the Job Queue.

Archives

7Z, ACE, ARJ, BZ2, CAB, GZ, ISO, KGB, LZH, RAR, TAR, TGZ, XZ, Z, and ZIP.

Extraction is limited by the following conditions:

  • Number of child files to extract. Default is 1000 and is configurable by prescan-config
  • Total file size of child files to extract, configurable by filesize-limit
  • Time spent to extract child files. Default timeout value is 15s for regular files(<=512M) and 600s for large files (>512M), the value is configurable by prescan-config

Microsoft Office

Microsoft Word (.doc, .docm, .docx, .dot, .dotm and .dotx), Microsoft Excel (.xls, .xis, .xlam, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx), Microsoft PowerPoint (.pot, .potm, .potx, .ppt, .pptm, .pptx, .ppam, .pps, .ppsm, .ppsx, .sldm, .sldx), Microsoft Publisher (.pub), Microsoft OneNote (.one), Microsoft Web Query Files (.iqy), Rich Text Format (.rtf)

Adobe

Flash, PDF, and SWF.

Static Web Files

HTML, JS, URL, and LNK.

Android File

APK

MACOSX Files

Mac (MACH_O, FATMACH, XAR, and APP files) and dmg (DMG) files.

WEBLink

URLs submitted by FortiMail devices or sniffed from email body by sniffer.

note icon

You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FortiSandbox when the .eml file is attached inside an email. FortiSandbox parses the .eml file to extract its attachments and perform file scans.

When sandboxing-embeddedurl is enabled, the top three URLs inside the email body are extracted and scanned along with the .eml inside the same VM. If the URL is a direct download link, the file is downloaded and sent with the URL to be scanned.

This feature is useful when you want to scan older emails when they are loaded to FortiSandbox, such as through an On-Demand scan or Network Share scan.

By default, FortiMail holds a mail item for a time to wait for the FortiSandbox verdict. Before FortiSandbox scans a file or URL sent from FortiMail, it checks if FortiMail still needs the verdict as FortiMail might have already released the email after time out. If not, FortiSandbox gives the job an Unknown rating and skipped status.

Use the CLI command fortimail-expired to enable or disable this expiration check.

To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files are uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.

File types

File types

FortiSandbox supports the following file types by default.

Executables

BAT, CMD, DLL, EML, EXE, JAR, JSE, MSI, PS1, UPX, WSF, and VBS.

Most DLL files cannot be executed within a VM. You can enable pre-filtering with the following CLI command:

sandboxing-prefilter -e -tdll

Only the DLL files which can be executed inside a VM are put into the Job Queue.

Archives

7Z, ACE, ARJ, BZ2, CAB, GZ, ISO, KGB, LZH, RAR, TAR, TGZ, XZ, Z, and ZIP.

Extraction is limited by the following conditions:

  • Number of child files to extract. Default is 1000 and is configurable by prescan-config
  • Total file size of child files to extract, configurable by filesize-limit
  • Time spent to extract child files. Default timeout value is 15s for regular files(<=512M) and 600s for large files (>512M), the value is configurable by prescan-config

Microsoft Office

Microsoft Word (.doc, .docm, .docx, .dot, .dotm and .dotx), Microsoft Excel (.xls, .xis, .xlam, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx), Microsoft PowerPoint (.pot, .potm, .potx, .ppt, .pptm, .pptx, .ppam, .pps, .ppsm, .ppsx, .sldm, .sldx), Microsoft Publisher (.pub), Microsoft OneNote (.one), Microsoft Web Query Files (.iqy), Rich Text Format (.rtf)

Adobe

Flash, PDF, and SWF.

Static Web Files

HTML, JS, URL, and LNK.

Android File

APK

MACOSX Files

Mac (MACH_O, FATMACH, XAR, and APP files) and dmg (DMG) files.

WEBLink

URLs submitted by FortiMail devices or sniffed from email body by sniffer.

note icon

You can create a custom file type and associate it to an existing VM. Therefore, file type analysis is not limited to just the file types listed in the table above.

Sometimes input sources send .eml files to FortiSandbox. For example, FortiMail sends .eml files to FortiSandbox when the .eml file is attached inside an email. FortiSandbox parses the .eml file to extract its attachments and perform file scans.

When sandboxing-embeddedurl is enabled, the top three URLs inside the email body are extracted and scanned along with the .eml inside the same VM. If the URL is a direct download link, the file is downloaded and sent with the URL to be scanned.

This feature is useful when you want to scan older emails when they are loaded to FortiSandbox, such as through an On-Demand scan or Network Share scan.

By default, FortiMail holds a mail item for a time to wait for the FortiSandbox verdict. Before FortiSandbox scans a file or URL sent from FortiMail, it checks if FortiMail still needs the verdict as FortiMail might have already released the email after time out. If not, FortiSandbox gives the job an Unknown rating and skipped status.

Use the CLI command fortimail-expired to enable or disable this expiration check.

To use remote VMs including MACOSX and Windows Cloud VM, you need to purchase subscription service from Fortinet. Files are uploaded to Fortinet Sandboxing cloud to scan according to Scan Profile settings.