Advice Request Fortisandbox ?

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
N

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
2,047
1,368
Fortisandbox runs either on a VM or a dedicated device.

How does it operate and what are it’s plusses/minuses when compared to other sandboxing solutions ?
 
  • Like
Reactions: harlan4096
notabot said:
Fortisandbox runs either on a VM or a dedicated device.

How does it operate and what are it’s plusses/minuses when compared to other sandboxing solutions ?
Click to expand...

It is very different from sandbox solutions like Sandboxie or Comodo.

It is a enterprise solution that integrates threat intelligence, detection + prevention in all attack surfaces (network, endpoints, web, email) but it needs other enterprise Fortinet solutions to work effectively; while "traditional", "consumer" sandboxies simple try to isolate files from the real OS, Fortisandbox can check if a file is safe or not independent of the endpoint machine.

Fortisandbox is something that the "average" home user can only dream about ...
 
  • Like
Reactions: Kuttz and harlan4096
notabot said:
Fortisandbox runs either on a VM or a dedicated device.

How does it operate and what are it’s plusses/minuses when compared to other sandboxing solutions ?
Click to expand...

Fortinet Product spectrum can run as appliances, VM's and in some cases, cloud. Currently, ALL Fortigate UTM's come with Fortisandbox Cloud now, it used to be an extra charge and before that it was a very expensive appliance. I have a FortiSandbox on my network and it spotted the Ccleaner compromise as it happened and blocked it. (which I disclosed here I believe)

Fortisandbox basically operates like this - incoming files get a 'pre-validation' which does a cursory check of file safety. If there are any threat indicators it throws the file into the Fortisandbox and plays around with it for a bit. You can choose to block all files until a safe declaration is made from the Sandbox. If the Sandbox detects suspicious activity it will stall the file, then send it directly to Fortinet labs for final resolution/determination.

Fortinet's big push now is SaaS type of services with SDWAN and Hosted VM Fortigate UTM's, alleviating the need for on-site appliances of any type. Currently some big players use Fortigate VM's to protect their front-end operations.

All of this is designed to be part of a full security fabric. Currently Fortinet is buying up some AI/ML firms to shore up their AI/ML side of things. They were looking at Cylance I hear, but the price was too high, so they went with a Scottish firm that has some interesting technology. On the endpoint side, there is a sort of transition from FortiClient in-house produced AV with a partnership with Symantec which will integrate Symantec into Fortinet offering the best of each product line across the fabric.
 
  • Like
Reactions: Handsome Recluse, DeepWeb, Kuttz and 2 others
Thanks ! Can you give more details as to how it detected ccleaner ? Based on what criteria was it flagged? To the best of my knowledge it took a moth before it became known that the update was malicious , did it detect ccleaner during this month or after it was known ?
 
  • Like
Reactions: Kuttz
Last edited by a moderator:
  • Like
Reactions: harlan4096
I think you misunderstood what I was saying, which was 'I disclosed to this forum that my Fortisandbox found it way back' and I wasn't saying *I* disclosed the threat to the public... (context is everything...)

When my FS Appliance flagged the update as highly suspicious I unsubscribed from Agomo 30 minutes later out of an abundance of caution and mentioned it here, but I had absolutely no part in the overall disclosure to the public.. Fortinet sort of has an unwritten policy of not getting entangled in disclosures like that, largely because they waste resources, have liability, and draw unwanted attention.
 
Last edited by a moderator:
  • Like
Reactions: harlan4096 and Handsome Recluse
No problem, it is just the way you made the sentence "as it happened" that may misled readers.
 
ForgottenSeer 58943 said:
I think you misunderstood what I was saying, which was 'I disclosed to this forum that my Fortisandbox found it way back' and I wasn't saying *I* disclosed the threat to the public... (context is everything...)

When my FS Appliance flagged the update as highly suspicious I unsubscribed from Agomo 30 minutes later out of an abundance of caution and mentioned it here, but I had absolutely no part in the overall disclosure to the public.. Fortinet sort of has an unwritten policy of not getting entangled in disclosures like that, largely because they waste resources, have liability, and draw unwanted attention.
Click to expand...

Thanks !, Did it flag the update it self (before any connection was attempted) or the attempted connection to c&c ?
 
Status
Not open for further replies.

You may also like...