romanr
Valued Contributor

Sandboxing Prefilters

Hey,

 

has anyone a more detailed information about the trade-off the "sanboxing-prefilter" function might have? - there is a massive performance boost, when you use them, but what will be the security impact?

 

Usage: sandboxing-prefilter [-h|-l|-e|-d] -t[dll|pdf|swf|js|htm|url|office]         -h Help information.         -e Enable sandboxing prefilter.                 -t[dll|pdf|swf|js|htm|url|office] Enable sandboxing prefilter for specific file types.         -d Disable sandboxing prefilter.                 -t[dll|pdf|swf|js|htm|url|office] Disable sandboxing prefilter for specific file types.         -l Display the status of sandboxing prefilter.

Br,Roman

4 REPLIES 4
foo
New Contributor

Hi, After an AV scan, static scan and community cloud query steps a VM is launched in order to analyze the runtime behaviour of a sample (=sandboxing scan). This last step is time and resource intensive. Prefiltering is an additional step in which the FortiSandbox decides whether it is worth launching a VM for further analysis: does the provided sample seem suspicious or not? If the sample is marked as non-suspicious by the prefilter, the file will be labelled as clean and it will not be sandboxing scanned. Otherwise it will be sandboxing scanned. In case the FortiSandbox is processing mail attachments, web traffic etc. most files received by the FortiSandbox will most likely be marked as non-suspicious and activating prefiltering will indeed result in a huge performance boost. I assume the first static scan checks for known malicious behaviour. The prefiltering scan tries to identify possible suspicious behaviour. For a PDF-file this might be the presence of JavaScript, forms, /OpenAction-object, ... For office files the presence of macros might be sufficient.

 

Drawback (security impact) is that the prefilter might be wrong and a malicious sample will be identified as non-suspicious and will not be admitted to a full sandboxing scan. Hence it will not be detected by the FortiSandbox.

 

In the environment I manage activating prefiltering on some file types resulted in (almost) no more queued samples and, thanks to higher VM-availability, faster detection of malicious content.

 

Regards, Peter

romanr
Valued Contributor

Hi Peter,

 

welcome and thanks for your response.

 

What you wrote here, is actually what I was thinking about the prefilters as well.... As I put some of them into production, I can tell the performance gain is massive. I also haven't seen any false decisions made by those filters - Besides, their rating-decision will get printed as "Rated By - FSA Community Cloud" and not via prefilter, which seems to be a bug in the current firmware.

 

I wonder why Fortinet does not communicate this feature a bit more - I question if they do really trust their own prefilters ?

 

Br,Roman

mrmcphisto

Hi,

we have all prefilters on, pdf included, but always queing thousands of them, sent from fortimail, for example, what wrong? Fortisandbox 6.0.3

ayman_taher