Professional Documents
Culture Documents
FORTINET
FortiSandbox
Student Guide
for FortiSandbox 2.0.3
DO NOT REPRINT
FORTINET
FortiSandbox Student Guide
for FortiSandbox 2.0.3
Last Updated: 18 October 2015
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2015 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
FORTINET
Table of Contents
Topology .............................................................................................................................. 6
Logging In ............................................................................................................................ 6
Disconnections/Timeouts .............................................................................................................................9
Objectives ............................................................................................................................ 14
Objectives ............................................................................................................................ 32
Objectives ............................................................................................................................ 34
REPORTS .....................................................................................................43
Objectives ............................................................................................................................ 43
DIAGNOSTICS ...............................................................................................45
Objectives ............................................................................................................................ 45
7 Troubleshooting................................................................................................................ 227
DO NOT REPRINT Virtual Lab Basics
FORTINET
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
Topology
port1
10.200.2.100
FORTIMAIL
FORTIGATE
10.200.2.254/24
port2
LINUX
WIN-LOCAL 10.0.1.254/24 10.200.1.1/24 10.200.1.254
10.0.1.10 port3 port1 eth1
10.200.4.213 10.200.5.213
port1 port5
port2 port3
FORTISANDBOX 10.200.1.213
Logging In
1. Run the System Checker. This will fully verify both:
compatibility with the virtual lab environment's software, and
that your computer can connect
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
Use the URL for your location.
North America/South America:
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
Europe/Middle East/Africa:
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
Asia/Pacific:
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC
If your computer successfully connects to the virtual lab, the result messages for the browser and
network checks will each display a check mark icon. Continue to the next step.
If a browser test fails, this will affect your ability to access the virtual lab environment. If a network
test fails, this will affect the usability of the virtual lab environment. For solutions, either click the
Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab.
https://remotelabs.training.fortinet.com/
A list of virtual machines that exist in your virtual lab should appear.
From this page, you can access the console of any of your virtual devices by either:
clicking on the devices square, or
selecting System > Open.
A new window should open within a few seconds. (Depending on your accounts preferences, the
window may be a Java applet. If this fails, you may need change browser settings to allow Java to
run on this web site. You also may need to review and accept an SSL certificate.)
Depending on the virtual machine, the applet provides access to either the GUI or a text-based
CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet should
automatically log in, then display the Windows desktop. For most lab exercises, you will connect to
this VM.
Disconnections/Timeouts
If your computers connection with the virtual machine times out or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your sessions list of VMs
and open the VM again.
If your session frequently times out or does not connect, ask your instructor.
When connecting to a VM, your browser should then open a display in a new window or tab.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the Java client, to configure the screen resolution, click the arrow at the top of the window.
In the HTML 5 client, to configure screen resolution, open the System menu.
International Keyboards
If characters in your language dont display correctly, keyboard mappings may not be correct.
To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either
display an on-screen keyboard, or send text from your computer to the VM's clipboard.
To solve this in the Java client, copy and paste between your computer and the Java applet. This
sends special characters or combinations using the keyboard icon at the top of the applet window.
Objectives
Configure a FortiGate device to submit files to a FortiSandbox appliance for inspection
Configure a FortiMail device to submit suspicious email attachments to a FortiSandbox appliance
for inspection
Use the FortiSandbox GUI to monitor the inspection results and statistics of the processed files
Time to Complete
Estimated: 55 minutes
Configure a FortiGate firewall and a FortiSandbox appliance to communicate with each other, then
confirm the connection by having the FortiGate firewall submit files for inspection.
2. At the login prompt, enter the username admin (all lower case). Leave the password blank.
3. To be able to access the FortiWeb's GUI, you must first configure the port3 network interface.
Assign its IP address, and specifically allow HTTP connections to the GUI.
edit port3
set ip 10.0.1.254/24
next
end
execute formatlogdisk
Type 'y' to confirm. After formatting the log disk, the FortiGate firewall will reboot. Wait until it has
restarted.
5. Return to the Lab Overview dashboard. Connect to the Windows server.
6. On the Windows servers desktop, open a Firefox browser window and connect to the FortiGate
firewalls graphical user interface (GUI) via HTTP:
http://10.0.1.254
Use the admin username again with no password.
The GUI will display a warning indicating that the FortiGate VM is currently using an evaluation
(trial) license. Ignore the warning and click Remind Later to continue.
Note: You might notice that you cannot connect to the FortiGate GUI using HTTPS. This is
expected since the device is using a trial license. FortiGate trial licenses do not support
any of the high encryption algorithms that the browser, by default, uses.
7. Restore the initial configuration file required by these labs. Go to System > Status and click the
Restore link inside the System Information widget:
Note: Now that there is network connectivity between the Windows VM and the FortiGate
VM, you can alternatively use the PuTTY application in the Windows VM to access the
FortiGate CLI.
set timezone ?
After pressing the question mark key at the end of the last command, the CLI will display a list of
time zones with their ID numbers. Press the space bar to page through the list. Locate your time
zone and take note of its ID number.
After locating the ID for your time zone, type these commands:
end
11. In the FortiGate GUI go to System > Config > FortiSandbox, select Enable Sandbox inspection.
Select FortiSandbox Appliance and enter the following settings:
IP Address: 10.200.5.213
13. Open a new web browser tab (or window) and connect to the FortiSandbox GUI:
https://fsa.training.lab
Log in using the default credentials (username admin with no password).
14. Go to File-based Detection > File Input > Devices, and select the FortiGate firewall. Click Edit,
enable Authorized and click OK.
15. In the FortiSandbox GUI, go to System > Dashboard > Status and click the Change link besides
the System Time.
Adjust the Time Zone to match your geographical location. Enable Synchronize with NTP Server
and type pool.ntp.org as the NTP server.
Name: Test_Heuristics
Leave the other settings with their default values and click OK to save the changes.
2. Go to Policy & Objects > Policy > Proxy Options. Verify the default profile and make sure that the
options for HTTP and SMTP have been enabled and set to the correct default ports:
3. Go to Policy & Objects > Policy > IPv4. The traffic from the Windows server to the Internet
matches the first policy on the top from port3 to port1. Click this policy and click Edit:
In the Security Profile section, enable Antivirus, and select the Test_Heuristic profile from the
drop-down menu.
edit Test_Heuristics
end
http://www.training.lab/fortisandbox
Download these 3 executable files from the website:
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe
Note: Because the FortiGate firewall in this lab is using a trial license, HTTPS inspection is
not supported. Make sure that you are connecting HTTP, and not HTTPS, to the internal
web site. If you download any of those files using HTTPS, the FortiGate firewall will not be
able to inspect the traffic and send the files to FortiSandbox.
2. Log out from the FortiGate GUI, then then log in again. A new menu section (Log & Report >
Security Log > AntiVirus) should appear. Go there and notice that only the file fsa_sample_1.exe
was sent to the FortiSandbox. The other two files were not. Do you know why?
3. In the FortiSandbox GUI, go to System > Status and check the Scanning Statistics widget. If the
FortiSandbox has not finished processing the file, you will see one file in the Processing state.
In that case, wait and refresh the widget until it eventually shows that 1 file is Processed and 1 file
is Clean.
5. In the FortiGate GUI, go to Security Profiles > Antivirus. Click the "+" icon at upper-right corner to
create a new profile. Configure these settings:
Name: all_executables
Leave all other settings with their default values. Click OK to save the changes.
6. Create a file pattern list that will match all the files with the .exe extension. This file pattern will be
later used in the antivirus profile configuration.
First from the FortiGate CLI, enter this command to enter into the DLP file pattern configuration
mode:
delete 1
Now, create a new entry:
edit 1
config entries
edit *.exe
end
end
edit all_executables
set analytics-bl-filetype 1
end
8. In your FortiGate GUI, go to Policy & Objects > Policy > IPv4 and edit the port3 to port1 firewall
policy.
In the Security Profile section, change the antivirus profile to use all_executables instead of
Test_Heuristic. Click OK.
http://www.training.lab/fortisandbox
Download the 3 executable files:
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe
11. In the FortiSandbox GUI, go to System > Dashboard > Status. Wait until Scanning Statistics
shows that all files have been Processed.
Review all of the details listed for that malware, such as:
Source and destination IP addresses
Files created by the malware
Sequence of suspicious steps (behaviors) executed by the malware
Configure FortiMail and FortiSandbox to communicate with each other. Confirm that this
communication is successful by having the FortiMail submit files for inspection.
2. Type these CLI commands to set port1's IP address and disable the HTTP to HTTPS redirection
of the GUI:
edit port1
set ip 10.200.2.100/24
next
end
end
edit 0
next
end
Note: Now you can alternatively use the PuTTY application in the Windows VM to access
the FortiMail CLI.
http://fml.training.lab/admin
Log in using the default credentials (user name admin with no password).
Note: You might notice that you cannot connect to the FortiMail GUI using HTTPS. This is
expected as the device is using a trial license. FortiMail trial licenses do not support any of
the high encryption algorithms that the browser, by default, uses.
IP Address: 10.200.5.213
Domain: -System-
Use default values for other settings. Click Create to save the profile.
Select Sandbox_AV as the AntiVirus profile and leave all other settings with their default values.
Click Create.
http://fml.training.lab/mail
Log in as student with the password fortinet.
2. Click Compose Mail.
Send an email to student2@training.lab with the subject Test file 1. Attach the file
fsa_downloader.exe downloaded in a previous step. Click Send.
3. Send two more emails to the same user (student2@training.lab). Attach fsa_dropper.exe to one,
and fsa_sample_1.exe to the other one.
4. Wait a few seconds, then log out from web mail. Log in again, but this time using the name
student2 with the password fortinet. You should observe that only the email with the
fsa_sample_1.exe attachment was received.
5. Return to the FortiMail administrative GUI:
http://fml.training.lab/admin
Go to Monitor > Log > History. You should observe a new log entry.
Select the log file and click View. It should show logs for the three email that you sent. Two were
discarded. The antivirus scan did not detect a virus in the third email.
The emails with fsa_dropper.exe and fsa_sample_1.exe attached were both discarded because
FortiSandbox identified those files as suspicious.
Objectives
Configure a FortiSandbox device to capture traffic and inspect it for potentially dangerous files
Time to Complete
Estimated: 15 minutes
1. Configure the FortiGate to stop submitting files to the FortiSandbox. The simplest way to do this is
by disabling antivirus scanning.
Connect the FortiGate GUI, and go to Policy & Object > Policy > IPv4. Edit the firewall policy from
port3 to port1. Disable antivirus inspection and click OK.
2. In the FortiSandbox GUI, go to File-based Detection > File Input > Sniffer and click Enable Sniffer.
Keep port2 as the interface where you want it to capture traffic.
Click OK.
3. Wait about 2 minutes to allow the sniffer process to start. Then go to:
http://www.training.lab/fortisandbox
Download these three files one more time:
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe
4. In the FortiSandbox GUI, go to System > Dashboard > Status. Check the Scanning Statistics
widget and wait until all the files are Processed. You should observe 2 suspicious and 1 clean files
under the Sniffer column.
Go to File-based Detection > Scan Results > Suspicious Files. More entries were added for the
suspicious files that the sniffer detected.
Go to Log & Report > Log > Local Log. Examine the related log entries.
5. Go to File-based Detection > File Input > Sniffer and uncheck Enable Sniffer. Click OK.
Objectives
Manually submit files for inspection
Scan network file shares for suspicious files
Manually submit URLs for inspection of potentially malicious web sites
Time to Complete
Estimated: 45 minutes
1. In the FortiSandbox GUI, go to System > FortiView > On Demand. Select Submit File. Click
Browse and select the file fsa_dropper.exe.
Check the Sandboxing and Cloud Query boxes to bypass those types of inspection.
Go to Log & Report > Log > Local Log and examine the entry for the submitted file.
3. Return to System > FortiView > On-Demand and submit the fsa_dopper.exe file again. This time,
do not bypass any inspection type.
Click on the refresh button. Wait a few minutes while FortiSandbox processes the file.
In this exercise, you will configure the FortiSandbox appliance to scan a network file share on the
Linux server.
\\10.200.1.254\share
2. Copy and paste all three files you downloaded from the internal website to this shared folder.
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe
3. Open a new File Explorer window and go to this shared folder:
\\10.200.1.254\quarantine
The quarantine folder will be used later to quarantine suspicious files detected by the
FortiSandbox appliance.
Leave these two folder windows open.
Name: Share
Server IP 10.200.1.254
Sharepath /share
Leave all the other settings at the default values and click OK to save the file share.
2. Edit the file share created and click Test connectivity at the bottom.
Ensure the FortiSandbox appliance reports that that share is accessible. Click OK to close it and
check that the status appears.
3. Edit the file share more time and click Scan Now. The unit will start scanning the files in the
shared folder.
4. Go to System > Dashboard > Status and check the Network column in the Scanning Statistics
widget. Wait until the unit has processed all the files.
Once the scan is complete, go to File-based Detection > Scan Results > Suspicious Files. You will
find details about the suspicious files being reported by the file share inspection.
5. Refresh the two file share folders open on your desktop. You will notice that the content has not
changed. The share folder still contains the 3 files and the quarantine folder is still empty.
Note: Simply enabling a file share does not configure a FortiSandbox appliance to
quarantine any suspicious file.
Name: Quarantine
Server IP 10.200.1.254
Sharepath /quarantine
Leave all the other settings with the default values and click OK.
2. Edit the quarantine folder you just created and click Test connectivity.
Confirm that the folder is accessible.
3. Configure the FortiSandbox appliance to use the quarantine folder. Go to File-based Detection >
File Input > Network Share and edit the Share entry.
Select Enable Quarantine and choose the Quarantine entry. Click OK to save the change.
4. Edit your Share entry again and click Scan now. Wait until all the files have been processed.
Once the inspection finishes, refresh the two shared folders on your desktop (share and
quarantine). Notice the content of both has changed.The share folder still has fsa_sample_1.exe,
which is clean, but FortiSandbox replaced the other two files with .quarantined files.
The quarantine folder contains now a subfolder with two files per suspicious file detected. One file
contains the metadata of the suspicious file, and the other file the file data.
During this exercise you will upload a list of URLs that the FortiSandbox appliance will inspect.
1. Connect to the classroom website:
http://www.training.lab/fortisandbox
Right-click on the url.txt file and select Save Link As to save it to the Windows desktop.
Double-click the file to open it with a text editor. It contains a list of three websites.
2. In the FortiSandbox GUI, go to URL Detection > Scan Results > On-Demand and click Submit file.
Set Depth to 1 and click Browse. Select the url.txt file from the desktop, then click Submit.
Caution: The Depth value determines how far the FortiSandbox appliance will follow any
link on the page. For example, a value of 5 would cause the device to follow all links on the
initial page, then every link on all of the sub-pages, repeating this a total of 5 times.
Some websites might find this kind of activity to be suspicious, and therefore might
temporarily (or permanently) block your public IP address. Only use this feature to
investigate a website suspected of being hijacked or delivering malware.
3. Go to URL Detection > Scan Results > On-Demand. Wait a few minutes until the Status of the
submission changes from In-Progress to Done. Meanwhile, click View Jobs to examine which
URLs FortiSandbox has already inspected.
4. After FortiSandbox has inspected the three URLs, click View Jobs again. You should observe that
FortiSandbox detected that one of the three URLs is suspicious. Click View Details for that URL.
Observe details such as Suspicious Behaviors, Files Created, and Network Behaviors. Then go to
the WIN7X64VM tab and click Captured Packets. Download a packet capture (PCAP) file.
Objectives
Generate reports about the sandboxed threats that FortiSandbox finds on the network
Time to Complete
Estimated: 15 minutes
1. In the FortiSandbox GUI, go to Log & Report > Report > Generate. Use these settings:
Click OK.
2. Go to Log & Report > Report > Access. Select the report, then click Download Report.
Click OK.
4. Go to Log & Report > Report > Access, select the new report, then click Download Report.
Save the new PDF file. Open it and compare its content with the content of the first report.
Objectives
Diagnose sandboxing connection issues between FortiSandbox and an integrated FortiGate
Determine whether or not FortiMail is sending a suspicious file to FortiSandbox
Determine the current FortiGuard package versions and last known connectivity status
Time to Complete
Estimated: 30 minutes
In this exercise, configure the FortiGate firewall to submit files to the FortiSandbox appliance again
while running and analyzing the output of some FortiGate debug commands.
1. In the FortiGate GUI, go to Policy & Objects > Policy > IPv4. Edit the firewall policy from port3 to
port1 and enable the Test_Heuristics antivirus security profile.
2. Use PuTTY to connect to the FortiGate CLI and enter these commands to enable the real-time
debug output for the quarantine process:
Caution: Always disable all debug output after finishing troubleshooting. Otherwise
debug output will continue to run in the background, even after an administrator logs out,
resulting in wasted CPU resources. If debug logs are written to disk, this can also result in
premature disk failure to the high volume of entries.
In this exercise, the FortiMail appliance will send a file to the FortiSandbox appliance again, while
running and analyzing the output of a FortiMail debug command.
1. Use PuTTY to connect to the FortiMail CLI. Enable these debug outputs.
http://10.200.2.100
Send an email to student2@training.lab with the fsa_dropper.exe file attached.
Examine the CLI diagnostic output. Did FortiMail receive the email? Did it scan the file? If so, what
was the verdict? What did it do with the email as a result?
....:AttachmentExtractorQF.cpp:90:visitRfc822Msg: attachment 1 is
skipped
1. From the Lab Overview dashboard of the virtual lab, go to the FortiSandbox VM and select
System > Open to connect to the FortiSandbox local console CLI.
sandbox-engines
It displays the version information for different components of the FortiSandbox firmware.
test-network
It runs a series of connectivity tests, including DNS and Internet access tests.
4. Enter the CLI command:
show
It displays all the interfaces IP addresses.
5. Enter these CLI commands:
status
vm-status
They provide information about the firmware, licenses and VM status.
Forums https://forum.fortinet.com/
In this lesson, we will explore many of the basic concepts you need to understand
FortiSandbox. This includes an overview of FortiSandboxs deployment methods.
After completing this lesson, you should have these practical skills that will allow you
to employ a FortiSandbox device in your network:
Understand how antivirus signatures work, what heuristics are, and how
sandboxing is different
Describe malware mechanisms and terminology
Understand FortiSandbox models, sizing, licenses, and support contracts
Locate documentation
Are viruses new? No, but the idea is even older than you may think.
In 1949, long before PCs existed, John Von Neumann gave lectures at the
University of Illinois about what he called self-replicating automata. On ARPANET,
the precursor to the Internet, the first virus, named Creeper, was detected in 1971.
Since then, malicious software has evolved into many types. Technically, although
we often refer to all malware as viruses, not every piece of unwanted software
behaves like a virus malware is not always self-replicating, and sometimes users
willingly install it. To include viruses, worms, Trojans, spyware and all others, we
now use the term malware.
A Trojan can infect the same host multiple times, but that happens when another
copy arrives from an external source. The local copy of the software does not try to
re-infect the computer.
Just as viruses have evolved many vectors for spreading, they also have evolved
many techniques for evading antivirus engines and manual analysis.
Viruses can encrypt their payloads, or change the exact code. As a result, when
comparing a signature to the binary sample, the two therefore arent an exact, bit-
by-bit match. So in order to detect the virus, the engine must be able to either:
match flexibly, or
ignore the changeable parts of the code, and match only based on the
polymorphic or metamorphic engine.
Ideally, security researchers find a vulnerability before attackers make the software
to exploit it. This gives the vendor time to create a patch and security companies
time to create signature or engine updates. But in the case of a zero-day attack,
there is no advance notice. There is a dangerous gap: systems are being exploited
but no fix or defense is available.
Exploits for unknown vulnerabilities called zero-day attacks are sold for large
amounts of money on the black market. Since these exploits arent known to their
vendors, nor to security experts, theres no available patch or signature for
detection. Thats what makes them so dangerous.
Some companies and organizations like Facebook and Google have offered
bounties for the responsible disclosure of these exploits, but theres a very profitable
market for black hat hackers to sell these discoveries to everyone from covert
government surveillance to organized crime syndicates.
Zero-day attacks are the keys to unauthorized access of your entire network.
If you notice an attack, your initial self-defense instinct may be to immediately take
the server offline, then format it to remove all traces of malware. But by doing this,
youll alert the attacker, and destroy forensic evidence. For motivated attackers, this
will only educate them their next attack will be harder to detect, and more
sophisticated. Make sure your team understands the most appropriate way to
respond to each different type of intrusion.
If youre vigilant, and if you have the resources, you can also write your own custom
IPS signatures. Better yet, add a FortiSandbox.
Malware can behave in many different ways. Sometimes, they combine different
behaviors. Malware developers are highly skilled and actively work to avoid
detection. Malware developers often test their results against antivirus engines,
including Fortinets.
When FortiSandbox makes reports about detected malware, it will use specific
words to indicate the malwares behavior. Lets define those words.
Regardless of how the virus spreads, once installed, a virus is somehow malicious.
What makes it malicious? Its behavior. (This is one of the reasons, by the way, that
security analysts use sandboxing such as FortiSandbox to discover new viruses.
Looking at which C functions a virus contains, for example, cannot find all viruses.
Forensics lab must see which functions actually execute, and what the effects are.)
Most people are familiar with spyware, adware, and rootkits. Malware could also be:
Ransomware such as the CryptoLocker worm is fairly new. The software holds
the computer hostage, often encrypting critical user data with a password or
secret key, until the victim pays the extortionist.
Key loggers record key strokes and return them to a remote location including
sending administrator logins and personal email addresses for executives.
Mass mailers transform computers into open relay mail servers for the botnet,
often managed via a remote command and control, sending spam for hire. These
are often operated by organized crime syndicates.
An infector is a type of malware that inserts code into your files. Every time a user
starts that program, or opens that file, the code runs. This is a classic computer
virus.
When infected, hosts may connect to a server controlled by the attacker. The
attacker then uses the compromised hosts effectively as if the botnet is their
personal cloud: to send spam, attack other servers, and even re-compromise hosts
where the administrator has removed the original virus.
Cross-site scripting (XSS) using malicious JavaScript, for example, can redirect web
traffic through a compromised server.
An example of this would be a keylogger tool that records all of the keystrokes a
user types and then sends them back to a remote server.
A backdoor is a type of malware that provides a remote user access to, or control of,
the system while bypassing any sort of normal authentication measures.
This malware often propagates through infected web browsers or browser add-ons.
A rootkit is a type of malware that gains administrative privileges (like a root user on
a UNIX system). Because only the Administrator or root account has sufficient
permissions to see the malwares files, normal user accounts cant see them, and
they can remain hidden for a long time unless you are monitoring for unexpected
traffic or root files.
A dropper is a type of malware designed solely to bypass detection and install other
kinds of malware. Droppers can be difficult to detect by virus scanning because they
usually look like a normal installer or other system file.
Now that we know how viruses behave, how can we detect them?
Lets discuss antivirus signatures and heuristic antivirus scanning, including their
limitations, and how sandboxing fits in.
Different vendors have different names for the same virus. Some vendors use
patterns that detect one virus per pattern, while others use patterns that are more
flexible, and can catch multiple viruses with a single pattern. It varies by the
vendors engine.
What is standard is the attack vector designation. Its at the beginning of the name.
For example, if the vector is W32, it represents 32-bit Windows. W64 represents
64-bit Windows. JS represents JavaScript (which is cross-platform).
To design for these challenges, Fortinet uses CPRL (Compact Pattern Recognition
Language) to write its signatures. That way, FortiGate can detect a wide variety of
malware using a relatively small database.
What is another way that FortiGate can use to detect viruses? It can look for
attributes that viruses usually have and make educated guesses in other words, it
can apply heuristics.
Both antivirus signatures and heuristic rules have limitations. They can only
detect what they are configured to know according to the antivirus engine and its
signatures. Plus, with heuristics, the antivirus engine could sometimes mistakenly
quarantine innocent files.
Emulating the code, or running a full simulation, is a much more certain method.
Some network virus scanners can do some runtime code execution. Full execution
is generally not done by a network virus scanner, however: smart malware will
disable or destroy antivirus scanners, and could infect the host. Full code execution
requires a separate, protected environment. This requires system resources and
time thats not normally available on a network device. In other words, it requires a
sandbox
Obviously you shouldnt try a potential malware file unless its in a very controlled
environment. So malware analysts have usually created their own isolated hosts
and networks to do this. These are called sandboxes: expendable hosts that
arent connected to the rest of your network.
Just like a childs sandbox environment in which play structures are created, once
complete, a sandbox host is torn down and reset back to the original state. There is
no risk to the integrity of your overall network.
Like honey pots, manual sandboxing requires resources and expertise. Theyre not
trivial to set up. If not done correctly, malware could escape and cripple thousands
of hosts on your network. Developing safe removal procedures for unknown
malware can require expert knowledge of the operating system.
FortiSandbox simplifies much of the complexity of creating your own sandbox, and
thereby makes it safer. In addition, sophisticated and detailed tracing software
record the behavior and provide a report on the activities. This is a crucial step to
defending against new malware.
If you want to submit a new virus manually, go to the FortiGuard web site. Upload
the file for scanning. If the virus does not currently exist in any of the FortiGuard
Antivirus databases, the web site will report it as being clean. You will then have
the option to submit the sample to FortiGuard analysts. They will develop a
signature for it, as well as engine modifications (if necessary), and this will be in the
next update that your FortiGate and FortiMail devices download from FortiGuard.
In addition to protecting your own network, this obviously also helps to ensure that
others networks wont be infected either. By being part of a united security
community, you can help to stop botnets from growing into large threats that
can DDoS and spam your servers. This has benefits for you, and not just your
neighbors.
Apart from the virtual machines inside FortiSandbox the images of target hosts
such as Windows 7 and other platforms that malware could attack FortiSandbox
also has FortiGuard engines and packages, including the extreme database for
FortiGuard Antivirus.
The master VM is the original system in which the Windows license key is activated.
A snapshot is created so the master VM contains the main image plus a snapshot.
The snapshot is taken in a running state in order to achieve a faster startup (no
waiting for the system initialization).
Once started, the master VM is cloned and each new VM is set in such a way that
after terminating the execution of a sample, it reverts to the snapshots. This way,
there is no risk of infection of the system because each sample is run in a clean
environment that has been started from the snapshot.
Once the process is finished, a rating engine evaluates the behavior and decides if
the file is malicious or not. FortiSandbox replies to the device that submitted the file,
and if the file was malicious, may help it to create a signature and alert. By default, it
also notifies FortiGuard Cloud of the result. FortiGuard security researchers utilize
the results to develop detection signatures, which your FortiGate and other Fortinet
devices can then use to protect your network.
The number of files scanned per hour listed in the FortiSandbox specifications is
based on a calculation of 3 minutes per file--which is a worst case scenario
calculation (a safe estimate). In actuality, since file sizes and scan times are
variable, the real number of files that get scanned will generally be higher then the
value advertised. FortiSandbox uses adaptive logic to decide how long a file should
be sandboxed.
For example: A 1000D is listed as being able to scan 160 files per hour.
This is determined by assuming all 8 VMs are inspecting files and spending the full
3 minutes to sandbox each one. In production, not all files will be sandboxed for the
full 3 minutes (or even sandboxed at all) so the actual number of files that will be
scanned per hour is going to be higher.
As a hardware appliance, FortiSandbox has two models: 1000D and 3000D. The
differences between the two are noted in the table.
The number of files a FortiSandbox virtual machine is capable of scanning per hour
depends on the processing power and speed of the server on which it has been
installed. Providing more resources for the image will increase the amount of traffic
it can process.
Note that having a FortiSandbox VM of any significant size requires a large amount
of memory and processing power. You must also consider drive space.
The FortiSandbox puts files into a queue for scanning if it cannot keep up with
traffic.
Different FortiSandbox models have different capabilities. The snapshots that is,
instances of a host such as Windows 7 configured in a specific way, running specific
services at a specific time are configured slightly differently as well.
For example, Microsoft Office 2007 does not understand Office 365 files, but Office
2013 does. This means that only the 32-bit Windows 7 VM can be used to sandbox
Office 365 files. So if all snapshots of WIN7X86 are in use, the Office 365 file will
be queued as a job and wait for the next available instance of WIN7X86. If another
file is submitted with different snapshot requirements and other VM images are
available (while the Office document is waiting), it will be scanned first.
There are a couple of reasons that Windows XP VMs are run on FortiSandbox:
1. Windows XP still accounts for a large portion of the desktop market today.
2. Windows XP is less secure than newer Windows operating systems. This makes
it an easier vector for infection and therefore a target for malware developers.
3. Windows XP-based malware running on Windows 7 will be forced to contend
with the Windows 7 architecture (even with the built in XP emulation), which
could result in a failed execution because of some aspect of Windows 7.
One of the reasons FortiSandbox does not have more VMs with newer operating
systems is due to the nature of the malware landscape itself. Currently, the majority
of the threats observed by FortiGuard are Windows XP and 32 bits.
Why is this? It has to do with malware code. 32-bit code can run in both a 32- and
64-bit environment. All 64-bit operating systems include a 32-bit emulator for code
execution. Because of this, malware developers prefer to write code in 32-bits; 64-
bit code reduces the number of possible infections (because 64-bit code cant run
on 32-bit machines). Since Windows XP uses different technology than newer
Windows operating systems, use of the 32-bit emulator is more reliable than on
Windows 7 and 8.
The design of the FortiSandbox, however, allows for additional OSes to be added
over time as the threat landscape evolves.
A FortiSandbox support contract (on both the hardware appliance or VM) entitles
you to:
1.Next business day hardware exchange. If the hardware breaks and it is under
contract, a replacement is shipped and should arrive on the next business day.
2. Technical support.
3. Updates from the FortiGuard Distribution Network. This includes updates to the
virus definitions and engine, the sandbox engine, the network alerts, cloud queries,
and URL ratings.
When FortiSandbox boots, it validates the licenses of the VM images it uses for
scanning. This requires an Internet connection. Once the images are activated, the
VMs inside FortiSandbox are cloned each time that it needs to create a sandbox,
then destroyed at the end of the sandbox job.
License files are applied through the FortiSandbox Web-based manager or CLI (the
process is similar to FortiGate).
You can download the license file for Microsoft Office from the Customer Service &
Support website, after which you must manually apply the license to FortiSandbox.
Once the license file is applied, the software on the VM is automatically unlocked
and FortiSandbox begins scanning Office documents. All versions of Office
documents can be scanned, including Office 365 files.
FortiSandbox feature support varies by which device is submitting files, and what
firmware version they have.
For general information on how to analyze malware, you can begin with some of the
books and web sites listed here.
In this lesson, well show how to complete basic settings that are independent of
your FortiSandbox deployment topology.
After completing this lesson, you should have these practical skills that you can use
to complete basic FortiSandbox setup, up to the point where traffic is flowing and
you can begin to apply security settings.
Lab exercises can help you to test and reinforce your skills.
When deploying FortiSandbox, you first need to know where to position the device
within your network.
Issues you need to consider are connectivity and administrative access. For
example, will the VM images running on the sandbox be allowed to access the
Internet? Which network segments should be able to access the web-based
manager (GUI)?
Finally, should there be any access restrictions on the Internet for the FortiSandbox
itself? If you want to have access restrictions, then you many want to consider
running FortiGuard through FortiManager.
When FortiSandbox is deployed within a network, you should ensure each port on
the device serves a specific purpose.
Port 1 is locked to provide access to the GUI and CLI. Likewise port 3 is locked so it
provides outside access to the VMs.
However, port 1 (through the use of various static routes, as needed) could also be
used for other types of system management traffic, such as alert emails or SNMP
traffic. Port 3 can also be used, not only for Windows VMs' Internet access, but also
for FortiSandbox Internet traffic, such as FortiGuard and DNS traffic.
This leaves six other ports available for files submissions from devices and sniffer
deployment.
So, the behavior for ports 1 and 3 is hard-coded and cannot be changed:
It is important to note that the VMs will use Port 3 to access the internet. This
means malware uses it to access the Internet, and as such, for the accuracy of
malware detection this port should be unrestricted. You must ensure, however, that
this interface has no possible way of accessing the internal network, since it could
result in the spread of malware through the network.
You can prevent the VMs from sending traffic out Port 3 to access the internet, but
this will lead to less accurate detection.
Not all of the ports on FortiSandbox are setup up to allow for administrative access.
Only Port 1 is hard-coded to allow for admin access on HTTPS and ping. These
cannot be disabled.
Due to the nature of software that FortiSandbox is intended to find, the resulting
traffic can lead to a bad reputation for that IP. If you have legitimate services running
on that connection, it could result in a service disruption (due to a bad reputation).
The reality is that your IPs reputation is always at risk from infected computers
within your network. Sandbox execution is very short, so while it is unlikely to result
in a poor reputation, it is still a possibility to consider.
If you plan to allow access to the Internet, your best option is to use a dedicated
Internet connection for the outgoing FortiSandbox traffic.
If you decide not to allow Internet access to the VMs on FortiSandbox, inspection
occurs as illustrated in this downloader example.
When the malware does a DNS query, the FortiSandbox responds with an internal
IP address. When the software then attempts to download some software, the
FortiSandbox provides a fake download package. This allows the downloader to
successfully execute even without access to the internet.
If you decide to allow Internet access to the VMs on FortiSandbox, the same
downloader could result in a very different report.
Starting with the IP address to which the malware connects, the IP reputation
information for that could be very different. The payload the malware downloads
could also be very different and possibly result in a specific malware detection. If
that payload results in Callback connections (C2) to a botnet, there is no way this
could be detected in an environment without internet access because the payload is
faked.
If Internet access is allowed, traffic generated by the VMs should have full,
unrestricted access. If traffic gets filtered then it could be blocked on the way to the
Internet, which would result in less accurate reports because some responses are
not received.
Without Internet access some of the checks will not result in accurate detection.
This means that certain types of malware detection will not work as well as they
could.
Allowing Internet access to the VMs is not just about increasing the risk to the
reputation of your IPsit also directly improves the ability of the device to
accurately detect malware.
The best results occur when Internet access is allowed, so this is the preferred
deployment.
You can enable or disable the Internet access for the VM under the general system
configuration setting.
In this section, we will explore some of the required setup settings that must be
configured, regardless of the method of input used to receive files.
All new FortiSandbox devices come with the same default IP addresses: Port 1 is
192.168.0.99, Port 2 ends in 1.99, Port 3 ends in 2.99, and so on.
The FortiSandbox web-based manager is designed to have the same overall look
and feel of other Fortinet products, like the FortiGate or FortiMail. As such,
configuring the interface from the web-based manager is similar.
To complete the same task from the CLI, type set followed by the port designation,
the IP, and subnet. Examples include:
Each interface supports the use of a static IPv4 and/or IPv6 IP addresses.
Each interface that sends or receives traffic on FortiSandbox needs to have a static
IPv4 and/or IPv6 address assigned to it in order to be usable. In order to get to
external IPs like the Internet (for VMs and possibly FortiGuard) or other subnets,
you need to manually add additional static routes.
Any investigation into new malware is going to come back to when it was first
submitted to FortiSandbox and from where. In order to make sure this information is
determined with precision, the clock must be accurate, otherwise it will be difficult
(and possibly impossible) to determine where this malware went and how far it has
spread.
In order to make forensic analysis easier (or possible) it is import to make sure that
all the network devices have their clock set accurately.
To setup an NTP server on the FortiSandbox, select [Change] by the System time
on the System Information Widget of the status page and configure an NTP server
to synchronize with.
When you initially log into FortiSandbox, you use the factory default login settings
(i.e. user name admin and a blank password). The default login remains active until
you manually change it.
You can change the default admin password from the GUI under System > Admin >
Administrators, editing the admin user and saving a new password.
Not all user information needs to be stored locally. To ensure administrative users
follow the company's password policy (or to ensure that users have the same
password everywhere) FortiSandbox can use LDAP servers to verify the password
for admin users.
You can configure an LDAP server through System > Admin > LDAP Servers.
Note that when this is configured, there is no option to set user privileges. All users
that verify their password using an LDAP server are considered to have Read-Write
privileges.
After an LDAP server has been saved an administrative user can be configured to
use this server in order to verify their password.
This is done by editing the user (or creating a new one) under System > Admin >
Administrator and setting the Type to LDAP.
Once this has been changed the option to alter the users privileges will disappear.
It is important to configure administrative access rights, since the device can only be
accessed through port 1. Responding to HTTPS and ping is hard-coded port 1
behavior. You can also enable additional protocols like HTTP, SSH, and Telnet. Note
that the administrative GUI cannot be enabled on any other interface.
An interfaces settings can be changed by going to System > Network > Interfaces
and then editing each interface individually.
You can also configure the default idle timeout for administrative users. This can be
set from 1 minute, up to 480 minutes. The idle timeout can be adjusted under
System > Admin > Settings.
Rather than closing access to the outside altogether, another option is for
FortiSandbox to use an external proxy to communicate with the outside.
Under System > Network > Proxy, you can set up a proxy the FortiSandbox will use
for the VM communication. VM traffic is still locked to port 3, meaning the proxy
must be reachable out of the port 3 interface.
The admin password reset procedure is similar to the procedure on other Fortinet
devices.
First, connect to the console port and physically power cycle the devicea reboot
from the GUI or CLI is not sufficient.
Once the device is rebooted, log in with the user maintainer (all lower case) and
the password bcpb (lower case), followed by the serial number of the device (all
letters in uppercase). Access through this user is only available through the console
port and only for about 30 seconds after a hard power cycle. Once you log in, you
can change the admin password using the CLI command: admin-pwd-reset.
New AV signatures allow for detections of additional malware without the need to
resort to sandboxing.
An up-to-date database of IPs allows for more accurate botnet callback detection.
Abnormal behavior and connections to botnets can be identified through network
alerts.
Updates to the Sandbox engine help improve the results of reports by improving
components like the malware tracer or rating engine.
You must use FortiManager 5.0.6 or newer firmware in order for FortiManager to be
able to recognize FortiSandbox. Check the FortiManager Release Notes to find out
the supported FortiSandbox models and firmware.
Overrides for package updates and FortiGuard web filtering queries can be set to
enabled and configured to use the IP or FQDN of a FortiManager. If there are
updates to the virtual machines themselves, they can be manually stored on an FTP
server and configured for use in the FortiSandbox. This allows the device to update
automatically while still operating within the confines of a closed environment.
The first step in the upgrade process is to read the Release Notes of the firmware to
which you are upgrading. This ensures that the upgrade is supported (you may be
required to perform an intermediate upgrade rather than a direct upgrade, so its
good to check). The Release Notes will also make you aware of any changes to the
device behavior.
The next step is to download the firmware image. The firmware does not include the
VM images. Some upgrades may require that the VMs are updated after the
firmware update. If so, this will be in the Release Notes.
The next step is to perform the actual update by applying the image through the
Web-based manager or CLI.
Finally, once the update is finished, check the status in order to make sure
everything is working properly. This includes verifying that the files continue to be
submitted and that any other post-update tasks are performed (like updating the VM
images).
In this section, we will briefly explain the four different input sources available to
FortiSandbox.
A FortiSandbox is capable of scanning files for malware from four different sources:
in-line, sniffer, on-demand, and network share. None of these are a mode of
operation for the device (unlike NAT vs Transparent). They are simply methods of
input that can be used concurrently or in any combination.
In-line is used when other Fortinet products (the FortiGate and FortiMail) submit
files directly to the FortiSandbox.
With 3rd party devices, files must be extracted by having the FortiSandbox look at
the traffic from a mirrored port. This is when you would make use of sniffer based
inspection.
You can manually submit files on-demand at any time using either the FortiSandbox
web-based manager or the JSON API.
You can also configure the FortiSandbox to monitor network file shares in order to
look for files to scan.
For the in-line input source, which allows you to automatically submit files, the only
devices that currently integrate with FortiSandbox 2.0.3 are FortiGate and FortiMail.
File submission is also supported for any file types the FortiGate and FortiMail can
intercept and understand. After the file is scanned, FortiSandbox sends details
about the scan back to the device that submitted the file.
Files can be submitted from any protocol for which the FortiGate is configured to
inspect content (including encrypted content).
For the sniffer input source, FortiSandbox can monitor network traffic through two
possible connection methods: RJ-45 copper cabling, Fiber Optic cables.
In order to mirror traffic with fiber optic communications a TAP device is inserted in
the line.
TAP devices effectively do port spanning for fiber connections. Light is split 50/50,
60/40, 70/30 (depends on the TAP device) so that the same light now flows in 2
directions, making a copy.
The on-demand input source involves manual file submissions to the device, rather
than automatic ones.
Rather then manually submitting files to FortiSandbox, you can use Network shares.
You can save files directly to a network file share and configure the FortiSandbox to
access that file share in order to find files to scan and sandbox.
In this section, we will take a deeper look into how FortiSandbox behaves when files
are sandboxed.
FortiSandbox allows you to configure a file scan profile under File-based Detection
> Config > Scan Profile. The scan profile helps streamline the sandboxing of files.
In order to do a complete scan for certain types of files, FortiSandbox requires more
than one run through in a sandbox environment to finish the job. The scan profile is
available to reduce unnecessary file sandboxing and improve performance.
Flash and PDF files have no version information within the files themselves, so
there is no way to determine what version of Adobe a piece of potential malware
may be intended to attack ahead of time. In order to get a complete picture, these
files need to be sandboxed multiple times using different VM images.
Take the example of a PDF file. After the initial malware scan is finished, the file
gets sandboxed if nothing is detected. Default settings will cause the file to be
sandboxed up to 4 times (each taking up to 3 minutes) in order to see if there is
malware that could affect Adobe 8, 9, 10, or 11.
When FortiSandbox is busy scanning files and runs into one that needs multiple
scans, those scans are done in whatever order the VM images become available to
use.
To continue with the example of a PDF document, a full scan with the default
configuration will require four separate VM images to finish. If the first available
image is WIN7x64, that scan occurs first. If it is a WINXP image with Adobe 9, that
scan occurs first. This continues until all necessary scans are finished, or a scan
comes back with a suspicious rating.
In this section, we will examine how to configure various alert options. Alerts notify
administrators about important events on FortiSandbox.
To configure, you must set up a mail server and provide the email of one or more
administrators to receive the notification alert. To customize what alerts are sent,
you can specify the rating of the job, for example, malicious, high risk, medium risk,
and low risk. You can configure alert emails under System > Config > Mail Server.
Only one alert email server can be configured. Weekly reports and reports for
malware detection can also be set up.
You can configure FortiSandbox to work with an SNMP server, with traps for high
CPU, low memory, low disk space, IP changing on an interface, and detection of
malware.
You can configure SNMP through System > Config > SNMP. Once the service is
enabled, communities can be created for versions 1, 2c, and 3 of the SNMP
protocol.
Depending on the traffic being generated by FortiSandbox (or coming in), different
ports are used.
In order to make sure those communications can connect, those ports need to be
available and not blocked by devices in between.
In this lesson, well explore how to deploy a FortiSandbox inline with a FortiGate and
FortiMail.
After completing this lesson, you will have the practical skills to be able to configure
and deploy FortiSandbox in combination with FortiGate and FortiMail.
When you consider incoming traffic, the only port that can never be used for
incoming connections is port 3.
Port 1 is for management access, but can be used for external devices to deliver
files. However, if there are a lot of incoming file submissions it can interfere with the
management traffic. This can include access to the CLI and GUI, as well as alert
emails, SNMP, and more. Best practice is to connect external devices somewhere
other then port 1.
Accordingly, aside from port 3, an external device can use any other port to
communicate with FortiSandbox (connect and deliver files). You can use multiple
ports as a way of balancing traffic and preventing an interface from being saturated.
You can configure FortiMail to send a copy of any potentially dangerous email
attachment to FortiSandbox.
In the FortiGate CLI there are some settings that will impact whether or not the
FortiGate sends a file to the FortiSandbox based on its file size.
The first size limit applied is the oversize limit (uncompressed oversize limit in the
case of archives). Any files larger than this limit are not virus scanned. Since files
are only sent to FortiSandbox after they are virus scanned, anything over this limit is
not sent to FortiSandbox.
Within the AV profile itself there is a second setting to limit the maximum size of the
upload. Any file that has been virus scanned and is larger than the maximum upload
size will not be sent to FortiSandbox.
Both settings are 10 MB by default, but you can adjust each independently.
Black lists and white lists are another FortiGate configuration option that adjusts
what is submitted to FortiSandbox.
A white list ensures that a particular AV profile submits only file types that do not
appear on the list. A black list does the opposite, submitting only the types that
appear on the list. An AV profile can only have a white or black list enabled, not
both.
Device authorization is configured through File-based Detection > File Input >
Devices. Find the device in the list on that page and editing the settings. Under
Permissions, enable the Authorized checkbox.
The communication protocol between FortiGate and FortiSandbox does not include
a method for FortiGate to transmit the list of VDOMs that it has enabled. When a file
is submitted from FortiGate, it is tagged with the name of the VDOM from which it
belongs. As such, a VDOM only appears on FortiSandbox once a file is submitted
from a AV profile configured on it.
You can also configure FortiSandbox to send notifications when a file is considered
dangerous and/or weekly reports outlining device activity. The email address is
configured on FortiGate when the connection to FortiSandbox is established.
The device IP address that appears on this page is the IP the FortiSandbox sees on
the packets when the device tries to connect. FortiSandbox does not communicate
with the FortiGate/FortiMail to obtain configuration details, so any kind of NAT
device will change the details that get shown here.
When integrating with other Fortinet products, communications are handled through
a Fortinet proprietary protocol. Data is encrypted using SSL and transmitted over
TCP port 514.
When a FortiGate/FortiMail decides to send a file for sandboxing, the device first
sends a hash to FortiSandbox. FortiSandbox does a lookup in its database in order
to find out if the file has already been scanned. If it has already been scanned, it
relays that information back to the device so the device will not spend resources
sending the file. If the lookup fails, FortiSandbox responds by indicating the file is
unknown. In this case, the device will send the file over to be stored and sandboxed.
An update to the virus package resets the hash table, as it changes the malware
FortiSandbox is capable of detecting. This change could result in the detection of a
previously unknown (new) malware signature, which the historical scans may not
have. So files submitted to the sandbox will only be scanned once, per update of the
AV database. If there is a period of time that the virus database is not updated (like
when FortiGuard access is not allowed), the database will be cleared out every 2
days.
A FortiGate can be configured to send all potentially malicious files or only those
flagged as suspicious by the heuristic scanning.
While FortiGate and FortiMail have slightly different file detection capabilities, what
they both send back to FortiSandbox is very similar. Both devices will only transmit
Windows executable files. Executables for other OSes are not sent, because
FortiSandbox only has Windows VMs.
Certain types of archives are sent as well. FortiGate and FortiMail have different
detection capabilities, so slightly different executable and archive types can be
detected and sent from each device. Java Runtime (JAR) files, PFDs, and Microsoft
Office documents are also transmitted, as are Flash (SWF) files.
After completing this lesson, you will understand sniffer mode and how to configure
FortiSandbox to inspect traffic from non-Fortinet products.
Sniffer mode allows you to configure interfaces on FortiSandbox to inspect the traffic
from 3rd party devices. In order to do this, a copy of the traffic needs to be sent to
interfaces on FortiSandbox.
For fiber optic cables, you need to use a TAP device in order to split the light beams.
For traditional network cables, a switch capable of doing port mirroring/monitoring or
SPAN is needed to send a copy of the traffic through a separate interface and out to
FortiSandbox.
Traffic occurring outside the boundaries of your network is not your responsibility.
External firewalls are designed to route and switch traffic, but they also block traffic.
It is the traffic that comes in from outside of any controlled environment that is the
most dangerous.
The traffic that should be sent to FortiSandbox is traffic that has already made it into
your network.
For these reasons, generally the best place to look at traffic is inside your network
and as close to your perimeter firewall as possible. The closer the traffic is to the
border of your network, the better.
FortiSandbox can look at traffic flowing in a single direction and parse it in order to
find and scan files. However from a forensic analysis perspective, having
communication in only a single direction makes forensic research more difficult.
FortiSandbox is not able to process VLAN tags when operating in sniffer mode.
Packets that reach the interface and are VLAN tagged will have the contents
inspected in exactly the same way as packets that are not VLAN tagged. The tag
itself is discarded and not logged in any way.
You can enable sniffer from the web-based manager through File-based detection
> File Input > Sniffer. Enable Enable Sniffer and select which interface(s) on
FortiSandbox to use sniffer-based file detection. Port 1 and port 3 have hard-coded
purposes already, so those cannot be selected. All other ports are available.
Ports set to sniffer mode have no IP address and cannot be used for any purpose
other than sniffer-based detection.
There are a few other options you can enable for sniffer, including:
Network alert detection. This examines the traffic for suspicious URLs, botnet
callbacks, as well at attack traffic.
Keeping Incomplete files. This is potentially useful, as incomplete files can still be
scanned for malware (though since part of the file is missing it will result in a less
accurate malware scan, but could still result in positive detection). However,
because the whole file is not there, it will not be sandboxed.
Maximum file size. This setting can be adjusted from 10Kb up to 200,000 Kb.
Keep in mind that larger files mean more storage space is needed.
Services. This option allows you to adjust the protocols FortiSandbox is looking at
in order to focus on specific vectors of infection or avoid overloading the job
queue.
When traffic is being inspected on an interface set to sniffer, you can enable
callback detection. This is used to detect traffic that is communicating to a botnet.
This is only available when the interface is operating in sniffer. With in-line
inspection, FortiSandbox does not see the actual traffic, so it is only capable of
sandboxing files. Also, FortiGate is capable of blocking botnet connection, where as
FortiSandbox can only report it because the traffic is mirrored.
In sniffer mode, FortiSandbox is directly inspecting traffic being sent to its interfaces.
This means that any kind of encrypted traffic cannot be inspected (HTTPS, FTPS,
StartTLS encrypted SMTP, etc.), because SSL is designed to be secure point-to-
point communicationsFortiSandbox is not part of those SSL negotiations.
The protocols FortiSandbox is capable of inspecting are HTTP, FTP, POP3, IMAP
and SMB. They can be detected over any port, not just the default ports for those
protocols
Just like in-line detection through Fortinet devices, the scan profile decides how
FortiSandbox scans and sandboxes different types of files.
In this lesson, we will examine the other methods that are available in order to send
files to a FortiSandbox for inspection. We will also show URL scanning.
After completing this lesson, you should have the skills to be able to:
In this section, we will explore how to manually submit files to FortiSandbox and
how to understand the job details and report results.
This can be useful in order to force specific scans to occur or test modified versions
of malware samples. It can also be used to retest files that may not have been
detected previously.
You can manually submit files to FortiSandbox from System > FortiView > On-
Demand.
Note that a password protected archive cannot have the contents scanned, so it will
not show up as an archive.
You can manually submit files to FortiSandbox for inspection one at a time. The type
of files you can submit are listed at the top of the Submit New File dialog box.
If you have an idea what FortiSandbox might discover about the file during
inspection, you may want to skip some of the normal scan steps in in order to get
better results. This allows a great deal of control in the behavior of the scan.
By going to the job details, an administrative user can view the specifics for what
happened in a particular job. This displays as a single file unless the file scanned
was an archive, in which case all the files contained within it are listed along with a
detailed report on the behavior.
At the top of the report a FortiSandbox classifies the file, for example High Risk
Dropper. If you do not agree with the results of the scan, you can mark it as a false
positive. FortiSandbox also displays from where the result came. In this example,
the results came from a cloud query, which means the file was scanned for
malware, but not actually sandboxed on the device.
You can print or download the report as a PDF document by clicking the print or
download icons from the upper right corner of the report.
On FortiSandbox, a network share and quarantine are the same things: NFS
(Network File Shares). The difference is how FortiSandbox treats them.
With network share, FortiSandbox connects to a NFS in order to look for infected
files.
You can create a new quarantine folder though File-based Detection > File Input >
Quarantine.
You must also configure the server location, share path, as well as the username
and password of the user with permissions to connect to the NFS. The user also
needs to have write permissions within that folder in order to successfully copy the
files that are considered suspicious. Since those files are considered suspicious,
you should ensure the NFS is not accessible to everyone. General users should be
not be allowed to access the quarantine folder in order to prevent further damage.
You can configure network shares through File-based Detection > File Input >
Network Shares. The options available are almost identical to configuring a
quarantine, because they are both NFSs.
In additional to the connection information, there are some other settings that can
be enabled in network shares and quarantine.
On the configuration of a quarantine share you can enable the option to delete a file
that is considered to be infected from the network share folder, or not.
In this section, we will examine how FortiSandbox inspects the contents and
behavior of websites.
URL scanning is performed by initiating VM images and using Internet Explorer (IE)
to connect to the URLs to examine their behavior. FortiSandbox uses a scan profile
(separate from the scan profile for sandboxing) to determine how to handle these.
The websites can be scanned with IE version 7, 8, 9 and/or 10. Just remember that
each version of IE requires an additional VM image to be instantiated.
URLs inspected this way must be manually submitted to FortiSandbox in the body
of a text file. Depending on the operating systems and browsers available within the
protected networks, it may be appropriate to limit the versions of IE used for the
scan.
Assuming your FortiSandbox has a connection to FortiGuard, the URLs are also
checked to find their rating. Dangerous categories are automatically flagged. The list
of categories shows all the ones that are automatically flagged, unless overridden.
When URLs are submitted, there is the option to set the inspection depth.
A depth of 0 means FortiSandbox only looks at the contents of the page directly
specified by the URLit does not follow any links to content located on the page.
A depth of 1 means that all links are followed one level. So if a page has a link to
second page and that page contains a link to download, the second page is
followed, but the download link on that second page is not.
The behavior of all URLs and files are contained in the report, so setting the depth
too high can result in an inaccurate report, as infected resources can be found off
the URL. Setting the depth too low can also cause inaccurate reports because
infected resources wont be detected. Set the value based on the amount of
investigation you wish to do on the website.
Another situation where it could be used would be to look at a company website that
was hijacked, in order to make sure that it is not being used for injecting malicious
code. The nice aspect of this is that you can do it immediately upon discovering a
hijack has occurred. You do not need to identify exactly what was done or how it
happened.
After this lesson, you should understand how to manually submit a file, configure
network shares and quarantines, and configure FortiSandbox to inspect Website
content.
In this lesson, we will explore the logs and reports generated on FortiSandbox.
After completing this lesson, you should have these practical skills in order to
monitor the day-to-day activity of FortiSandbox and conceptually approach and
prepare for a situation where FortiSandbox detects a piece of unknown malware.
In this section, we will examine how to view the log events that happen on
FortiSandbox.
The Status page provides a lot of information about the status of FortiSandbox,
including information about files submitted and detected, contract details, and
update information. You can also add/remove widgets and all widgets can be
customized to some degree. Depending on the nature of the widget, the
customization could involve adjusting the refresh rate, or adjusting the number of
entries returned based history length. Most widgets also include the option to drill
down on returned data in order to quickly obtain more specific details about the
data.
The FortiView tab is useful to view detected threat activity at a glance and makes it
easier to identify problem users, files, or devices.
The Threats by Users page organizes detected malware and suspicious files by
the user. If detection occurs from sniffer-based detection, or there is no
authentication enabled on FortiGate, then the IP address is used instead. Since you
can connect multiple FortiGate devices to a single FortiSandbox, the format for the
Device/Username column that indicates where the file submission came from is:
<device> (the name of the device when connected): <VDOM>: <IP or User name>
(user name if authenticated)
The Threats by Files page displays the same kind of information about the
detected threats. However it organizes the threats by file rather than device. This
allows you to more easily see if a particular threat is being detected more often than
others. This is useful in detecting if there is an outbreak of a particular malware.
The Threats by Devices page organizes the detection differently again, this time
according to the device that submitted the file to FortiSandbox. This can help you
more easily tell if a particular location is having a possible outbreak.
Under the File-Based Detection menu there are additional charts and widgets. The
purpose is to summarize the activity for file-based detection, which includes both in-
line and sniffer-based detection.
The Summary Report page pulls together all the information to provide an overall
look at what has been scanned and the results of the scans.
The Malicious Files page provides more detail about the virus detected through
scanning.
The Suspicious Files page provides more detail about files that were not detected
as viruses, but did exhibit suspicious activity.
The Clean/Unknown Files page contains all the results, whether either nothing was
detected or the scan did not finish because it was interrupted.
From Log & Report > Log > Local Log, you can view the event logs, which are
logs FortiSandbox stores for events on the device itself.
The local logs summarizes device activity, such as administrative logins, virtual
machine initializations, scan jobs starting, and other activities of that nature. For
detailed information, you need to locate the scan job itself and view the results.
You can also generate summary reports on demand. There are two types of reports:
executive summary and threat activity.
The executive summary report provides a break down of all the activity.
The threat activity report provides a break down of the files that were detected as
malicious or suspicious.
In both cases, you can set the time period to either the last 24 hours, the last week,
the last month, or specify a custom time period.
You can configure FortiSandbox to send event logs to an external appliance. This
allows FortiSandbox to link to a pre-existing notification system.
An external logging device allows for a central logging location. Central logging
makes forensic investigation easier, as all the log events and notifications are
located and correlated in a single place, without needing to swap back and forth
between devices.
FortiSandbox can log to two external appliances: Syslog and FortiAnalyzer (running
firmware 5.0.8 or newer, or a FortiManager).
Reports are not intended to remain in a vacuumthe results should not be taken at
face value. Experts should monitor both negative and positive reports for malware
detection in order to ensure the findings are accurate. If a report shows positive for
malware, it most likely indicates there is an active infection that you need to address
inside your network. Remember, reports come from files that have already entered
the network.
Any organization with a sandbox needs to have an incident response plan in the
event that dangerous new malware is detected and needs to be removed from the
network.
The first phase of an incident response plan involves receiving the alert itself. An
alert from FortiSandbox indicates positive malware detection that you need to
investigate. Your investigation should determine if:
The report is accurate or a false positive
Further action is required in order to mitigate infection and damage
When it comes to generating alerts, the diagram shows there are multiple avenues
available in order to fit into whatever monitoring system is already in place. This
helps ensure that somebody can receive the notification promptly and allow them to
act as quickly as possible.
The second phase of an incident response plan involves evaluating the alert, of
which there are two kinds: malicious and suspicious.
Malicious event occurs when the file is positively identified as an existing virus
through some method of scanning on FortiSandbox. Even though these files are
identified by FortiSandbox, they may have already passed into your network and
may be loose and spreading. You should investigate these alerts to determine if
there is an infection or not.
A suspicious event occurs when the file is considered clean by AV normal scanning,
but dangerous after sandboxing. Suspicious events are potential zero-day exploits
and deserve close attention in order to prevent potential loss of business critical
information.
The third phase of an incident response plan involves the investigation itself: the
details about the malware behavior, infection vector, and methods of safe removal.
In this phase, a malware analyst reviews the report information and examines the
malware in order to find out how it behaves. Depending on what the malware does,
rules may be added to the firewall to prevent/mitigate further infection. Infected
host(s) may need to be quarantined and cleaned, based on the results of the
investigation so far.
The fourth phase of an incident response plan involves the response to the phase 3
investigation findings. You should always have a plan for the worst case scenario. In
the event that this ever occurs, having a plan will result in significantly fewer losses.
For clean up purposes, the researchers need to have a variety of software and
utilities at their disposal.
Depending on the results of the investigation so far, the malware analyst should
have a good understanding of how the malware behaves, and hopefully, how to
remove it. If the malware is particularly dangerous and difficult to remove it my
require measures as drastic as formatting the device and reimaging it from scratch.
Being able to restore data from a backup will reduce downtime and lost data.
The fifth and final phase of an incident response plan involves documenting and
sharing your results. Once an incident has been handled it should be properly
documented in case of future reinfection.
Individuals whose job does not involve handling malware samples should never be
handling samples of unknown malware without good, documented reasons.
An example rule of a malware handling policy can be to always change the file
extension of malware samples when the sample is not being executed in order to
prevent files from being executed by whatever software the designers of the
malware intended to try and exploit. Some malware can infect during preprocessing
of the file, by certain utilities.
In this example, the first letter of the file extension is changed to Z. Any standard is
fine in this instance, since the ultimate purpose is simply to break any file
associations.
Another rule of a malware handing policy can be to always store the malware inside
an archive to allow for an additional layer of security and the ability to change
names and associations. Some software will attempt to execute (or preprocess) the
files inside an archive simply by opening it. Adding a simple password will prevent
that from happening with an accidental click.
The password can be reused on all malware samples. The purpose of this is to
prevent the malware from executing accidentally, so theres no need for the
password to be complex or rotating.
A third rule of a malware handing policy can be to always run the malware sample in
an isolated and unimportant environment. If the test machine can access the
internal company network, this can cause the malware to spread throughout the
company resulting in loss of data and/or disruption.
Important machines and/or machines with important data should never be used to
test malware samples. Some malware have protective measures built in so that if
any tampering is detected, they will damage the host. Virtual machines make
excellent testing environments.
Combining rules together (Example rules 1, 2, and 3) will result in greater security
for your company. A strong internal policy will help instill the proper behavior of
employees and let individuals know your company takes this seriously.
The first section is called Scan Job Details. As the name implies, this gives some
overall information about the scan, such as where the file came from, when it was
scanned, what protocol the file was transmitted on, how long the scan tookany
details that would help you track down the source of the file.
The next important section to discuss, very close to the beginning of the report, and
called Behavior Summary.
Some of the terminology used is some of the fields here will directly correspond to
the different types of malware.
Having a quick summary section is important because reports can be very long. The
report being used as an example is over 300 pages.
The next section details the activity that occurred. The Results for <VM Image>
section reflects the VM that detected the file as being dangerous or infected.
The Suspicious Behaviors section contains a summary of what the ratings engine
considered to be suspicious or dangerous activity.
In order to find specific details, the appropriate areas of the report need to be looked
at, but at a glance, this provides the highlights of the inappropriate behavior.
The next couple of sections describe the file activity that occurred while the file was
being sandboxed.
In this example, since this report in particular is about a .doc file, WinWord
(Microsoft Word) was used to open and examine the file as you can see in the
Launched Processes section. The file activity that occurred may have been
caused by the piece of malware or may have been caused by normal operations of
the processes involved. Proper understanding of all the data in a report requires a
lot of knowledge about different software.
The Network Behaviors section details what happened with regard to external
connections. Activity within any section is always listed in reverse chronological
order, with the first action to occur being listed at the bottom.
In this example, a DNS request was made for a particular URL and then a file was
downloaded multiple times. At any point in the report if a particular action is
something that the rating engine considers to be dangerous or suspicious, that
activity will appear in red. This makes the activity stand out and therefore hard to
miss.
The section details every action that occurred within the sandbox environment, for
any reason. This can easily become the largest section of the report, depending on
the activity that occurred.
If a scan job report indicates there is malware, it means a known piece of malware
was detected during the scan job process.
The allows for additional information (beyond the report PDF) to be stored on the file
share. FortiSandbox can remotely store malicious, suspicious, clean, and unknown
scan results when the job is finished.
After this lesson, you should be able to understand logs, store logs externally,
archive reports, create an incidence response plan, handle unknown malware,
create a malware handling policy, understand FortiSandbox reports, and work with
FortiGuard.
After completing this lesson, you will have the practical skills to troubleshoot
connection issues between FortiSandbox and FortiGate or FortiMail, resolve
licensing issues, troubleshoot connectivity-related situations on FortiSandbox, and
activate Windows VMs and Microsoft Office.
In this section, we will examine some of the diagnostics that help to determine
whether FortiGate is properly connected and communicating with FortiSandbox.
On the Status page of the FortiGate, some of the widgets provide information about
FortiSandbox and FortiGate communications. The Advanced Threat Protection
Statistics widget provides a summary of the virus scanning activity that occurred
over the past week. This is a high level view, but it provides a quick glimpse at the
communication that is occurring between the two devices.
The License Information widget on the FortiGate Status page displays the current
state of the communications between FortiGate and FortiSandbox. If the two
devices are communicating successfully the widget displays a green arrow.
The quarantine process handles sending files to devices from the FortiGate. This
includes things like sending a DLP archive to a FortiAnalyzer or logs to a
FortiManager/Syslog. It even includes submitting files to FortiSandbox.
In this section, we will examine some of the diagnostics that help to determine
whether FortiMail is properly connected to FortiSandbox.
Similar to FortiGate, FortiMail also has a Test Connectivity button where you can
test connectivity to FortiSandbox and determine whether it is authorized. FortiMail
also provides some file statistics on this page.
Real time debug on the FortiMail that looks at communications with FortiSandbox
involve debugging the process called SandboxCLID.
There are more debug levels available than just simply using 65, but its a good
place to start. The bulk of the output is easy to understand and very human
readable. You can view the levels available in the CLI using the question mark. Be
sure to use the appropriate debug level.
Use the following two commands to disable the real time debug:
diagnose debug application sandboxclid 0
diagnose debug application sandboxclid disable
In this section, we will examine some of the troubleshooting commands available for
FortiSandbox.
You can use the CLI command sandbox-engines to examine various information
for the engines that are installed. This allows you to view and evaluate the traffic
that gets generated by malware being sandboxed by the device.
You can use the CLI command status to view the overall health of FortiSandbox.
It provides information about the firmware version that is installed, the serial
number, and the system time. There is also the general status on the VM images as
well as a high level look at the status of the RAID for the device.
There are several CLI commands you can use to help troubleshoot issues with
connectivity. For example, ping, tcpdump, iptables, and traceroute.
The syntax for using ping and traceroute are standard. Use an FQDN or IP address
as the destination.
tcpdump and iptables are standard Linux commands, which are more complex in
their syntax. However, there is a lot of information available on how to use them on
the Internet.
One useful command for troubleshooting is the tcpdump. It is used to enable the
built-in sniffer that can capture the traffic arriving and leaving the FortiSandbox.
From the FortiSandbox web-based manager, you can see the list of information
updated through FortiGuard. This includes the virus definition, network alert version
and sandbox engine version details.
Another useful piece of information on this page is the details on the VM images. It
contains a list of names for each VM image the device uses to scan files with, along
with the operating system version information.
In order to activate Windows VMs, registration of the device on the support site is
not required. The keys are burned into the EPROM hardware for the devices, or
included in the VM license file.
The device includes several keys, but only one is activated in order to be compliant
with our Microsoft agreement. You can see and track the activations of different
keys in the Event logs.
The Windows keys are activated by being verified against the Microsoft servers
through port 3 and require ports 80 and 443 to be open. This is the same way any
normal Windows operating system is activated. In order to accomplish this, the
device must have access to the Internet and working DNS. After the VMs have been
activated, Internet access can be removed and FortiSandbox can be freely
rebooted. Since the VMs are already activated, they will not need to do so again.
Event logs show the sequence of events for activating all the various VM images.
In this example, the actual license keys have been removed for security reasons,
but on a real device you will see the product keys that are used, rather than Xs.
Each of the four VM images need to run through the activation process separately.
There are three log events associated with the full process of activation:
1. The device starts the activation process.
2. The Microsoft servers verify and accept the license key.
3. FortiSandbox finishes installing and setting up the VM image. This sequence
occurs for each of the VM images on the FortiSandbox.
You can use the CLI command vm-license l (lowercase L) to view the license keys
that are available on the device.
You can use the CLI command vm-status to view the status of the virtual machines.
This displays a list of the different master VM images FortiSandbox has loaded as
well as the status of their activation.
An initialized VM is one that has been activated with the Windows key, and the
cloning process has finished successfully.
You can view the VM initialization status through the System Information widget on
the Status page of the Web-based manager. It displays a green arrow if the
Windows VMs have properly initialized. Otherwise, it shows a yellow warning
indicator.
In this section, we will examine the process involved in activating Microsoft Office.
Microsoft Office activation is not performed online. The software verifies the
installation key locally. This is designed by Microsoft and is how MS Office behaves.
There is no online component to the registration of this particular software.
In order to activate MS Office, you must obtain a key file by registering your
FortiSandbox on the support site (support.fortinet.com) along with your device
contract. Once this is completed you can download a license file that activates the
Microsoft Office software installed on the VM images.
Note that the new FortiSandbox hardware does not have this requirement. The
addition of MS Office is fairly recent, so only the newer generation hardware has the
ability to have this information burned to the EPROM. You can tell if a FortiSandbox
is capable of this by looking at the serial number of the device.
For older hardware or VMs, once you download the MS Office license file from the
support site you can apply it through the web-based manager from the System
Information widget. Once the file is loaded, FortiSandbox activates the license and
the device automatically reboots.
After rebooting, the Microsoft Office software will complete the licensing along with
the instantiation of the VM images. This process of initializing the VMs takes a
couple of minutes to complete, so it will still show up as unlicensed immediately
after reboot.
The keys used to activate the VMs do not change and Microsoft only allows a
limited number of activations against a single key. This behavior is no different than
reinstalling Windows on your home computer.
If the logs indicate the Microsoft activation server will not allow the VMs to be
activated, you must contact Microsoft. Fortinet is using standard versions of the
Windows operating systems and does not have access to the Microsoft activation
servers.
5. Once your request has been accepted, you are provided a 48 digit number. You
will need this number so be certain to record it accurately.
6. From the CLI of the FortiSandbox, use the confirm-id command to enter the
activation key experiencing the issue and the confirmation id provided by Microsoft.
When entering the key and confirmation numbers, do not enter a space between the
flags (-k and c) and the values themselves.
7. Verify the details using the confirm-id l (lowercase L) command. This
displays the activation key(s) with the associated confirmation number.
8. If everything is correct, reboot the FortiSandbox and wait for the VM images to
finish activating against the Microsoft servers.