Fortinet black logo

Administration Guide

Network Share

Network Share

Go to Security Fabric > Network Share (also known as Network File Share) to scan remote file locations via SMB and NFS protocol. Central quarantine with either Move or Copy of files is supported.

Create a Network Share profile to configure a Network Share location for inspection. After the profile is configured, FortiNDR will scan the registered network's share directories.

The Network Share page displays the following information:

Name The Network Share profile name.
Scan Scheduled Indicates scheduled scan is enabled/disabled.
Type The Network Share protocol.
Share Path The Network Share path.
Quarantine Indicates if quarantine is enabled/disabled.
Enabled Indicates the Network Share profile is enabled/disabled.


The Network Share configuration status. See Testing connectivity.

Creating a Network Share profile

To create a Network Share profile:
  1. Go to Security Fabric > Network Share.
  2. In the toolbar, click Create New. The New Network Share page opens.
  3. Enter the Network Share mounting information.
    StatusEnable or Disable. Enable is the default.
    Mount Type

    Select a Network Share protocol from the list. The following protocols are supported:

    • SMBv1.0

    • SMBv2.0

    • SMBv2.1

    • SMBv3.0

    • NFSv2.0

    • NFSv3.0

    • NFS v4.0

    Network Share NameEnter a name for the Network Share.
    Server IP

    Enter the IP address for the Network Share.

    Share PathEnter the path for the Network Share.
    UsernameEnter the username for the Network Share.
    PasswordEnter the password for the Network Share and then confirm the password.
  4. Configure the Quarantine Confidence level equal and above.
  5. (Optional) Customize the quarantine and sanitize behaviors.

    Enable Quarantine Password Protected Files

    Moves password protected files to a designated quarantine location.


    FortiNDR does not process password protected files.

    Enable Quarantine Critical Risk Files

    Moves detected files with critical risk to a designated quarantine location. This includes:

    • Fileless

    • Industroyer

    • Ransomware

    • Wiper

    • Worm

    Enable Quarantine - High Risk Files

    Moves detected files with high risk to a designated quarantine location. This includes:

    • Backdoor

    • Banking Trojan

    • Exploit

    • Infostealer

    • Proxy

    • PWS

    • Rootkit

    • Trojan

    Enable Quarantine - Medium Risk Files

    Moves detected files with medium risk to a designated quarantine location. This includes:

    • Clicker

    • DDoS

    • Downloader

    • Dropper

    • Phishing

    • Redirector

    • Virus

    Enable Quarantine - Low Risk Files

    Moves detected files with low risk to a designated quarantine location. This includes:

    • Application

    • CoinMiner

    • Generic Attack

    • Generic Trojan

    • SEP

    • WebShell

    Enable Quarantine of Others

    Moves other unprocessed files to a designated quarantine location. File types that falls under this category includes:

    • Files with unsupported file type

    • Files with Over size Limit

    • Empty/Irregular files

    Enable Copying or Moving clean files to sanitized location

    Moves or copies clean files to a location specified in the Network Share Quarantine profile. See, Network Share Quarantine .

    The Moving operation is only allowed for the quarantine location when Keep Original File at Source Location disabled.

    The Copying operation is only allowed for the quarantine location when Keep Original File at Source Location enabled.

    For information about combing Network Share and Quarantine profiles, see Network Share Quarantine > Combining network share and quarantine profiles.

    Create a copy of clean files for every scheduled scan at the sanitized location

    When enabled, FortiNDR will create a new folder <Network Share Profile Name>_<Scan Task ID> in the sanitized location for each scheduled scan.

    When disabled, FortiNDR will overwrite the sanitized location with the clean files from the latest scan.


    Enabling this option will increase the size of the Network Share location.

    Create placeholder files for malicious/Suspicious/Other files at sanitized location

    Adds a placeholder file in the sanitized location. The filename pattern of the placeholder file will be <filename>.<severity>.txt. This helps maintain the file structure of the original network in the share folder.

    Enable Force Rescan

    When enabled, FortiNDR will not use cache detection even if the files are previously scanned.

  6. Click OK.

Testing connectivity

To validate the Network Share configuration:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Test Connection to validate the Network Share configuration.

    A green checkmark appears in the Status next to a valid connection.


    Testing the connection will work when Network File Share is enabled. The test will fail if the profile is disabled.

Scanning a network location

To trigger a scan:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Scan Now.

The Scan Now button will not create a new task when the Network Drive is:

  • Currently mounting
  • Scanning another task
  • Disabled
  • Not connected (Status is Down)

You can use a REST API call to start a scan. See, Start Network Share scan.

Scheduling a scan

You can schedule routine scanning for a Network Share location on an hourly, daily, or monthly basis. The minimum time interval for each scan is 15 minutes.


If an NFS scan takes longer than the next scheduled time, the next scheduled time is skipped and an event log is created to reflect this.

To schedule a scan:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Edit. The New Network Share window opens.
  3. Select Enable Scheduled Scan.
  4. Configure the Schedule Type and the correspodning time interval.
  5. Click OK.

Viewing scan results

View the scan history of the Network Share directories.

To view the scan results:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Scan Details. The scan history is displayed.

    TotalThe total number of files scanned.
    Start TimeThe date and time the scan started.
    End TimeThe date and time the scan completed.
    Scan FinishedThe scan progress as a percentage.
    Critical RiskThe number of Detected/Quarantined critical risk files.
    High RiskThe number of Detected/Quarantined critical high files.
    Medium RiskThe number of Detected/Quarantined medium risk files.
    Low Risk The number of Detected/Quarantined critical low files.
    CleanThe number of clean files.
    OthersThe number of Detected/Quarantinedother files.
    Scan StatusThe scan status as a string.
  3. Click the numbers to view the detection information for the samples that belong to the category.
  4. Click the link in the column to view the detected and quarantined files.
    • Select a sample in the list then click View Sample Detail.
    • Click Back to return to the Scan Details.
  5. Click Back to return to the Network Share pane.

Scanning Zip files

FortiNDR can extract and process Zip files up to 10 levels. When any of the files inside the Zip file is detected, the whole zip file will be marked as malicious.


FortiNDR does not process password-protected zip files.

Network Share

Network Share

Go to Security Fabric > Network Share (also known as Network File Share) to scan remote file locations via SMB and NFS protocol. Central quarantine with either Move or Copy of files is supported.

Create a Network Share profile to configure a Network Share location for inspection. After the profile is configured, FortiNDR will scan the registered network's share directories.

The Network Share page displays the following information:

Name The Network Share profile name.
Scan Scheduled Indicates scheduled scan is enabled/disabled.
Type The Network Share protocol.
Share Path The Network Share path.
Quarantine Indicates if quarantine is enabled/disabled.
Enabled Indicates the Network Share profile is enabled/disabled.


The Network Share configuration status. See Testing connectivity.

Creating a Network Share profile

To create a Network Share profile:
  1. Go to Security Fabric > Network Share.
  2. In the toolbar, click Create New. The New Network Share page opens.
  3. Enter the Network Share mounting information.
    StatusEnable or Disable. Enable is the default.
    Mount Type

    Select a Network Share protocol from the list. The following protocols are supported:

    • SMBv1.0

    • SMBv2.0

    • SMBv2.1

    • SMBv3.0

    • NFSv2.0

    • NFSv3.0

    • NFS v4.0

    Network Share NameEnter a name for the Network Share.
    Server IP

    Enter the IP address for the Network Share.

    Share PathEnter the path for the Network Share.
    UsernameEnter the username for the Network Share.
    PasswordEnter the password for the Network Share and then confirm the password.
  4. Configure the Quarantine Confidence level equal and above.
  5. (Optional) Customize the quarantine and sanitize behaviors.

    Enable Quarantine Password Protected Files

    Moves password protected files to a designated quarantine location.


    FortiNDR does not process password protected files.

    Enable Quarantine Critical Risk Files

    Moves detected files with critical risk to a designated quarantine location. This includes:

    • Fileless

    • Industroyer

    • Ransomware

    • Wiper

    • Worm

    Enable Quarantine - High Risk Files

    Moves detected files with high risk to a designated quarantine location. This includes:

    • Backdoor

    • Banking Trojan

    • Exploit

    • Infostealer

    • Proxy

    • PWS

    • Rootkit

    • Trojan

    Enable Quarantine - Medium Risk Files

    Moves detected files with medium risk to a designated quarantine location. This includes:

    • Clicker

    • DDoS

    • Downloader

    • Dropper

    • Phishing

    • Redirector

    • Virus

    Enable Quarantine - Low Risk Files

    Moves detected files with low risk to a designated quarantine location. This includes:

    • Application

    • CoinMiner

    • Generic Attack

    • Generic Trojan

    • SEP

    • WebShell

    Enable Quarantine of Others

    Moves other unprocessed files to a designated quarantine location. File types that falls under this category includes:

    • Files with unsupported file type

    • Files with Over size Limit

    • Empty/Irregular files

    Enable Copying or Moving clean files to sanitized location

    Moves or copies clean files to a location specified in the Network Share Quarantine profile. See, Network Share Quarantine .

    The Moving operation is only allowed for the quarantine location when Keep Original File at Source Location disabled.

    The Copying operation is only allowed for the quarantine location when Keep Original File at Source Location enabled.

    For information about combing Network Share and Quarantine profiles, see Network Share Quarantine > Combining network share and quarantine profiles.

    Create a copy of clean files for every scheduled scan at the sanitized location

    When enabled, FortiNDR will create a new folder <Network Share Profile Name>_<Scan Task ID> in the sanitized location for each scheduled scan.

    When disabled, FortiNDR will overwrite the sanitized location with the clean files from the latest scan.


    Enabling this option will increase the size of the Network Share location.

    Create placeholder files for malicious/Suspicious/Other files at sanitized location

    Adds a placeholder file in the sanitized location. The filename pattern of the placeholder file will be <filename>.<severity>.txt. This helps maintain the file structure of the original network in the share folder.

    Enable Force Rescan

    When enabled, FortiNDR will not use cache detection even if the files are previously scanned.

  6. Click OK.

Testing connectivity

To validate the Network Share configuration:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Test Connection to validate the Network Share configuration.

    A green checkmark appears in the Status next to a valid connection.


    Testing the connection will work when Network File Share is enabled. The test will fail if the profile is disabled.

Scanning a network location

To trigger a scan:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Scan Now.

The Scan Now button will not create a new task when the Network Drive is:

  • Currently mounting
  • Scanning another task
  • Disabled
  • Not connected (Status is Down)

You can use a REST API call to start a scan. See, Start Network Share scan.

Scheduling a scan

You can schedule routine scanning for a Network Share location on an hourly, daily, or monthly basis. The minimum time interval for each scan is 15 minutes.


If an NFS scan takes longer than the next scheduled time, the next scheduled time is skipped and an event log is created to reflect this.

To schedule a scan:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Edit. The New Network Share window opens.
  3. Select Enable Scheduled Scan.
  4. Configure the Schedule Type and the correspodning time interval.
  5. Click OK.

Viewing scan results

View the scan history of the Network Share directories.

To view the scan results:
  1. Go to Security Fabric > Network Share and select a profile.
  2. In the toolbar, click Scan Details. The scan history is displayed.

    TotalThe total number of files scanned.
    Start TimeThe date and time the scan started.
    End TimeThe date and time the scan completed.
    Scan FinishedThe scan progress as a percentage.
    Critical RiskThe number of Detected/Quarantined critical risk files.
    High RiskThe number of Detected/Quarantined critical high files.
    Medium RiskThe number of Detected/Quarantined medium risk files.
    Low Risk The number of Detected/Quarantined critical low files.
    CleanThe number of clean files.
    OthersThe number of Detected/Quarantinedother files.
    Scan StatusThe scan status as a string.
  3. Click the numbers to view the detection information for the samples that belong to the category.
  4. Click the link in the column to view the detected and quarantined files.
    • Select a sample in the list then click View Sample Detail.
    • Click Back to return to the Scan Details.
  5. Click Back to return to the Network Share pane.

Scanning Zip files

FortiNDR can extract and process Zip files up to 10 levels. When any of the files inside the Zip file is detected, the whole zip file will be marked as malicious.


FortiNDR does not process password-protected zip files.