FortiMail 200E/Sandbox Email Question

Alexander_Mueller · ‎12-10-2018

Hy, i have one question

We are Using FortiMail 200E and Sandbox 1000D,

at the moment we have a lot infected Emails with .doc Attachmend

under the Fortimail System->Fortisandbox its acitivated the all Office (specially .doc) are sended to the Sandbox.

But sometime we have the problem, if Fortimail notice this is a Spam Mail (over the IP), then he send the email to the personal Quarantine and stops checks with AntivVirus and Sandbox.

We have activiated under Security->Quarantine Controll all Re-Scan Options.

Bt its possible to make thats the checks continue and not stops after AntiSpam?

With best regards from Germany

Carl_Windsor_FTNT · ‎12-10-2018

>its possible to make thats the checks continue and not stops after AntiSpam?

No, but what you want is possible in a different way. Reason Sandboxing happens after AntiSpam is to keep the load down on the FortiSandbox (default - antispam-content-sandbox). You can however change the scan order so FSA happens after AV but before the AS (sandbox-antispam-content).

config system fortisandbox
       set scan-order {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content}
end

....but be aware this will add additional load to the sandbox.

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

View solution in original post

Carl_Windsor_FTNT · ‎12-10-2018

>its possible to make thats the checks continue and not stops after AntiSpam?

No, but what you want is possible in a different way. Reason Sandboxing happens after AntiSpam is to keep the load down on the FortiSandbox (default - antispam-content-sandbox). You can however change the scan order so FSA happens after AV but before the AS (sandbox-antispam-content).

config system fortisandbox
       set scan-order {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content}
end

....but be aware this will add additional load to the sandbox.

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

ede_pfau · ‎12-10-2018

The quirk in OP's setup is that he distrusts the anti-spam on the FML. In my experience, if you relax the AS measures a bit FML won't catch all but all that it catches is real SPAM. Especially by checking against the blacklist from FortiGuard.

As the (SPAM) mail has not yet been accepted (*) you can legally safe discard it then, and not quarantine it.

Quarantining SPAM is somehow...you could save a lot of energy and other cost if you just store every mail then.

(*)...if FML is working as mail relay or mail gateway, that is, in front.

In a typical environment I see 95% of all SPAM mails rejected because of blacklisting servers alone. If you push all that junk through your sandbox you will probably need a very big one.

But thanks Carl for that precious hint anyway.

Ede Kernel panic: Aiee, killing interrupt handler!

Carl_Windsor_FTNT · ‎12-10-2018

>In a typical environment I see 95% of all SPAM mails rejected because of blacklisting

>servers alone. If you push all that junk through your sandbox you will probably need a

>very big one.

Indeed, this is why the default is the more efficient method of detect as Spam first (less load) and then allow rescan on release to prevent the threats being released.

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

Alexander_Mueller · ‎08-22-2019

HI,

its possible to change the order to content-antispam-fortisandbox,

because its only available {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content},

i would prefer first scan of our content and then antispam and sandbox

FortiMail 200E/Sandbox Email Question

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website