Integrating FortiSandbox into FortiMail

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

FortiSandbox is a key part of Fortinet’s innovative Advanced Threat Protection solution. Recommended by NSS Labs, FortiSandbox is designed to detect and analyze advanced targeted attacks designed to bypass traditional security defenses.

This recipe details how FortiSandbox works and then guides you through process of integrating FortiSandbox into FortiMail.

Understanding FortiSandbox

While traditional signature-based systems rely on predefined virus signatures to catch viruses, FortiSandbox looks at the construction of files for characteristics commonly found in viruses and emulates the execution looking for typical virus behavior. As a file is examined, the virus-like attributes are totaled. If a threshold in the number of virus-like attributes is passed the file is marked as ‘suspicious’.

The illustration to the right details the scanning process.

 fortisandbox-fortimail-illustration

Connecting FortiSandbox

To connect FortiSandbox to FortiMail

 1.  Go to AntiVirus > FortiSandbox > FortiSandbox

fortisandbox-recipe-screen

 2.  Enable FortiSandbox inspection.

 3.  Enter the your notification email if you wish to be notified of protection activity.

 4.  Specify how long FortiMail should wait to retrieve some high level statistics from FortiSandbox.

Note: 
The statistics include how many malwares are detected and how many files are clean among all the files submitted.

Profile and Policy Creation

Once FortiSandbox is connected, you’ll need to create an AntiVirus profile that uses FortiSandbox.

To create an AntiVirus profile

 1.  Go to Profile > AntiVirus > AntiVirus.

2-1 FortiSandbox

 2.  Select New.

 3.  Enter a name for the new profile and select a default action that FortiMail will take when encountering a threat.

antivirus-profile

 4.  Enable FortiSandbox to send potentially harmful attachments to FortiSandbox for further analysis and then specify the action to take if the FortiSandbox analysis determines that the email messages have a threat be selecting the appropriate action in the dropdown menus.

 5. Now create a policy by going to Policy > Policies. 

2-5 FortiSandbox

 6.  Select New under either the IP Policies or Recipient Policies section.

 7.  Select the newly created antivirus profile from the AntiVirus dropdown menu under the Profiles section.

antivrius-policy

 8.  Select Create.

Supported File Types

The list of files which FortiMail submits to the FortiSandbox for inspection is largely dependent on what files the FortiSandbox can support. The supported files is continually growing. Below is the list of files currently supported in FortiMail 5.2.3 (FortiSandbox 2.0 or late).

  • MS Word: docx, dotx, docm, dotm
  • MS Excel: xlsx, xltx, xlsm, xltm, xlsb, xlam
  • MS PowerPoint: pptx, ppsx, potx, sldx, pptm, ppsm, potm, ppam, sldm
  • MS OneNote: onetoc
  • MS Theme: thmx
  • JAR
  • SWF
  • PDF
  • Java script file
  • Windows executable files such as .scr, .dll, .com, and .exe
  • Archive files: .RAR and .ZIP
  • Was this helpful?
  • Yes   No