- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Sandboxing Prefilters
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sandboxing Prefilters
Hey,
has anyone a more detailed information about the trade-off the "sanboxing-prefilter" function might have? - there is a massive performance boost, when you use them, but what will be the security impact?
Usage: sandboxing-prefilter [-h|-l|-e|-d] -t[dll|pdf|swf|js|htm|url|office] -h Help information. -e Enable sandboxing prefilter. -t[dll|pdf|swf|js|htm|url|office] Enable sandboxing prefilter for specific file types. -d Disable sandboxing prefilter. -t[dll|pdf|swf|js|htm|url|office] Disable sandboxing prefilter for specific file types. -l Display the status of sandboxing prefilter.
Br,Roman
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, After an AV scan, static scan and community cloud query steps a VM is launched in order to analyze the runtime behaviour of a sample (=sandboxing scan). This last step is time and resource intensive. Prefiltering is an additional step in which the FortiSandbox decides whether it is worth launching a VM for further analysis: does the provided sample seem suspicious or not? If the sample is marked as non-suspicious by the prefilter, the file will be labelled as clean and it will not be sandboxing scanned. Otherwise it will be sandboxing scanned. In case the FortiSandbox is processing mail attachments, web traffic etc. most files received by the FortiSandbox will most likely be marked as non-suspicious and activating prefiltering will indeed result in a huge performance boost. I assume the first static scan checks for known malicious behaviour. The prefiltering scan tries to identify possible suspicious behaviour. For a PDF-file this might be the presence of JavaScript, forms, /OpenAction-object, ... For office files the presence of macros might be sufficient.
Drawback (security impact) is that the prefilter might be wrong and a malicious sample will be identified as non-suspicious and will not be admitted to a full sandboxing scan. Hence it will not be detected by the FortiSandbox.
In the environment I manage activating prefiltering on some file types resulted in (almost) no more queued samples and, thanks to higher VM-availability, faster detection of malicious content.
Regards, Peter
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Peter,
welcome and thanks for your response.
What you wrote here, is actually what I was thinking about the prefilters as well.... As I put some of them into production, I can tell the performance gain is massive. I also haven't seen any false decisions made by those filters - Besides, their rating-decision will get printed as "Rated By - FSA Community Cloud" and not via prefilter, which seems to be a bug in the current firmware.
I wonder why Fortinet does not communicate this feature a bit more - I question if they do really trust their own prefilters ?
Br,Roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
we have all prefilters on, pdf included, but always queing thousands of them, sent from fortimail, for example, what wrong? Fortisandbox 6.0.3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Related Posts
- MacOS - FortiClient Installer .SH Installs... 512 Views
- FortiEMS with Sandbox profile 339 Views
- FortiSandbox Cloud - Fortigates not showing... 393 Views
- Fortinet Sandbox API Login Request Error 425 Views
- Fortigate AV profile - sandbox delivery 292 Views
Labels
-
FortiGate
6,438 -
FortiClient
1,282 -
5.2
801 -
5.4
639 -
FortiManager
560 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
325 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
63 -
Wireless Controller
57 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.