notabot

Level 8
Fortisandbox runs either on a VM or a dedicated device.

How does it operate and what are it’s plusses/minuses when compared to other sandboxing solutions ?
 
  • Like
Reactions: harlan4096

Nightwalker

Level 16
Verified
Content Creator
Fortisandbox runs either on a VM or a dedicated device.

How does it operate and what are it’s plusses/minuses when compared to other sandboxing solutions ?
It is very different from sandbox solutions like Sandboxie or Comodo.

It is a enterprise solution that integrates threat intelligence, detection + prevention in all attack surfaces (network, endpoints, web, email) but it needs other enterprise Fortinet solutions to work effectively; while "traditional", "consumer" sandboxies simple try to isolate files from the real OS, Fortisandbox can check if a file is safe or not independent of the endpoint machine.

Fortisandbox is something that the "average" home user can only dream about ...
 

Slyguy

Level 41
Verified
Fortisandbox runs either on a VM or a dedicated device.

How does it operate and what are it’s plusses/minuses when compared to other sandboxing solutions ?
Fortinet Product spectrum can run as appliances, VM's and in some cases, cloud. Currently, ALL Fortigate UTM's come with Fortisandbox Cloud now, it used to be an extra charge and before that it was a very expensive appliance. I have a FortiSandbox on my network and it spotted the Ccleaner compromise as it happened and blocked it. (which I disclosed here I believe)

Fortisandbox basically operates like this - incoming files get a 'pre-validation' which does a cursory check of file safety. If there are any threat indicators it throws the file into the Fortisandbox and plays around with it for a bit. You can choose to block all files until a safe declaration is made from the Sandbox. If the Sandbox detects suspicious activity it will stall the file, then send it directly to Fortinet labs for final resolution/determination.

Fortinet's big push now is SaaS type of services with SDWAN and Hosted VM Fortigate UTM's, alleviating the need for on-site appliances of any type. Currently some big players use Fortigate VM's to protect their front-end operations.

All of this is designed to be part of a full security fabric. Currently Fortinet is buying up some AI/ML firms to shore up their AI/ML side of things. They were looking at Cylance I hear, but the price was too high, so they went with a Scottish firm that has some interesting technology. On the endpoint side, there is a sort of transition from FortiClient in-house produced AV with a partnership with Symantec which will integrate Symantec into Fortinet offering the best of each product line across the fabric.
 

notabot

Level 8
Thanks ! Can you give more details as to how it detected ccleaner ? Based on what criteria was it flagged? To the best of my knowledge it took a moth before it became known that the update was malicious , did it detect ccleaner during this month or after it was known ?
 
  • Like
Reactions: Kuttz
D

Deleted member 178

Last edited by a moderator:
  • Like
Reactions: harlan4096

Slyguy

Level 41
Verified
I think you misunderstood what I was saying, which was 'I disclosed to this forum that my Fortisandbox found it way back' and I wasn't saying *I* disclosed the threat to the public... (context is everything...)

When my FS Appliance flagged the update as highly suspicious I unsubscribed from Agomo 30 minutes later out of an abundance of caution and mentioned it here, but I had absolutely no part in the overall disclosure to the public.. Fortinet sort of has an unwritten policy of not getting entangled in disclosures like that, largely because they waste resources, have liability, and draw unwanted attention.
 
Last edited:
D

Deleted member 178

No problem, it is just the way you made the sentence "as it happened" that may misled readers.
 

notabot

Level 8
I think you misunderstood what I was saying, which was 'I disclosed to this forum that my Fortisandbox found it way back' and I wasn't saying *I* disclosed the threat to the public... (context is everything...)

When my FS Appliance flagged the update as highly suspicious I unsubscribed from Agomo 30 minutes later out of an abundance of caution and mentioned it here, but I had absolutely no part in the overall disclosure to the public.. Fortinet sort of has an unwritten policy of not getting entangled in disclosures like that, largely because they waste resources, have liability, and draw unwanted attention.
Thanks !, Did it flag the update it self (before any connection was attempted) or the attempted connection to c&c ?