File Scan Flow
After a file is received from an input source, it goes through the following steps before a verdict is reached. If a verdict can be reached at any step, the scan stops.
- Filtering and Static Scan
In this step, the file is scanned by the Antivirus engine and the YARA rules engine. Its file type is compared with the Scan Profile page > Pre-Filter tab settings to decide if it should be put in the job queue. If yes, it is compared with the allowlist and blocklist and overridden verdict list.
For certain file types, such as Office and PDF files, they are scanned statistically in virtual engines to detect suspicious contents. If they contain embedded URLs, the URLs are checked to see if the website is a malicious website.
- Community Cloud Query
The file will be queried against the Community Cloud Server to check if an existing verdict is available. If yes, the verdict and behavior information are downloaded. This makes the malware information shareable amongst the FortiSandbox Community for fast detection.
- Sandboxing Scan
If the file type is associated with a VM type, as defined in the Scan Profile page > VM Association, the file is scanned inside a clone of that VM type. A file that is supposed to be scanned inside a VM might skip this step if it's filtered out by sandboxing prefiltering. For more information, see the FortiSandbox CLI Guide for the
sandboxing-prefilter
command.