Hy, i have one question
We are Using FortiMail 200E and Sandbox 1000D,
at the moment we have a lot infected Emails with .doc Attachmend
under the Fortimail System->Fortisandbox its acitivated the all Office (specially .doc) are sended to the Sandbox.
But sometime we have the problem, if Fortimail notice this is a Spam Mail (over the IP), then he send the email to the personal Quarantine and stops checks with AntivVirus and Sandbox.
We have activiated under Security->Quarantine Controll all Re-Scan Options.
Bt its possible to make thats the checks continue and not stops after AntiSpam?
With best regards from Germany
Solved! Go to Solution.
>its possible to make thats the checks continue and not stops after AntiSpam?
No, but what you want is possible in a different way. Reason Sandboxing happens after AntiSpam is to keep the load down on the FortiSandbox (default - antispam-content-sandbox). You can however change the scan order so FSA happens after AV but before the AS (sandbox-antispam-content).
config system fortisandbox
set scan-order {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content}
end
....but be aware this will add additional load to the sandbox.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
>its possible to make thats the checks continue and not stops after AntiSpam?
No, but what you want is possible in a different way. Reason Sandboxing happens after AntiSpam is to keep the load down on the FortiSandbox (default - antispam-content-sandbox). You can however change the scan order so FSA happens after AV but before the AS (sandbox-antispam-content).
config system fortisandbox
set scan-order {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content}
end
....but be aware this will add additional load to the sandbox.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
The quirk in OP's setup is that he distrusts the anti-spam on the FML. In my experience, if you relax the AS measures a bit FML won't catch all but all that it catches is real SPAM. Especially by checking against the blacklist from FortiGuard.
As the (SPAM) mail has not yet been accepted (*) you can legally safe discard it then, and not quarantine it.
Quarantining SPAM is somehow...you could save a lot of energy and other cost if you just store every mail then.
(*)...if FML is working as mail relay or mail gateway, that is, in front.
In a typical environment I see 95% of all SPAM mails rejected because of blacklisting servers alone. If you push all that junk through your sandbox you will probably need a very big one.
But thanks Carl for that precious hint anyway.
>In a typical environment I see 95% of all SPAM mails rejected because of blacklisting
>servers alone. If you push all that junk through your sandbox you will probably need a
>very big one.
Indeed, this is why the default is the more efficient method of detect as Spam first (less load) and then allow rescan on release to prevent the threats being released.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
HI,
its possible to change the order to content-antispam-fortisandbox,
because its only available {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content},
i would prefer first scan of our content and then antispam and sandbox
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.