FortiSandbox provides a solution to protect against advanced threats and ransomware for companies who don’t want to implement and maintain a sandbox environment on their own.
Article Id 198714
This article describes when the following error is seen in the FortiSandBox VM event log : “Sandbox VM is not in good condition, waiting for recovery”, indicating performance issues with FortiSandBox receiving more files than it can process.

On average a file scan on a FortiSandBox VM takes 3 minutes, a VM clone can scan an estimated maximum of 480 files per day.

Note: The number of files FortiSandBox VM can handle is estimated by number of enabled clones and multiplied 480

To check the number of files received by FortiSandBox, go to:

- File Detection > Summary Report > Top File Types widget

The number of files sent to the Sandbox in the last 24 hours are displayed when the “Scanned by Sandboxing” button in the widget is checked.

To increase the efficiency of file scanning enable “Sandboxing-prefiltering”

- Prefiltering is an additional step in which the FortiSandbox decides whether to execute the file in a VM
- FortiSandBox prefiltering scans attempt to identify possible suspicious behavior associated with file types.
- File types containing plain text (e.g. office or PDF files) will not be executed on a VM, other may has a macro so it those files will be executed.
- Files with JavaScript will be executed on a VM.

Enabling prefiltering improves FortiSandBox performance if it is receiving large amount of files.
Note: Whitelisting trusted domains improves FortiSandbox performance

FortiSandbox best practice guide has more detail about improving scan performance, which can be found at FortiSandBox documentation