Helpful ReplyHot!FortiMail 200E/Sandbox Email Question

Author
Alexander Mueller
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/26 04:10:53
  • Status: offline
2018/12/10 07:30:33 (permalink)
0

FortiMail 200E/Sandbox Email Question

Hy, i have one question
We are Using FortiMail 200E and Sandbox 1000D,
at the moment we have a lot infected Emails with .doc Attachmend
under the Fortimail System->Fortisandbox its acitivated the all Office (specially .doc) are sended to the Sandbox.
 
But sometime we have the problem, if Fortimail notice this is a Spam Mail (over the IP), then he send the email to the personal Quarantine and stops checks with AntivVirus and Sandbox.
 
We have activiated under Security->Quarantine Controll all Re-Scan Options.
 
Bt its possible to make thats the checks continue and not stops after AntiSpam?
 
With best regards from Germany
#1
Carl Windsor_FTNT
Fortinet
  • Total Posts : 249
  • Scores: 42
  • Reward points: 0
  • Joined: 2012/05/02 03:09:16
  • Location: United Kingdom
  • Status: offline
Re: FortiMail 200E/Sandbox Email Question 2018/12/10 07:53:34 (permalink) ☄ Helpfulby ede_pfau 2018/12/10 13:48:29
0
>its possible to make thats the checks continue and not stops after AntiSpam?
 
No, but what you want is possible in a different way.   Reason Sandboxing happens after AntiSpam is to keep the load down on the FortiSandbox (default - antispam-content-sandbox).  You can however change the scan order so FSA happens after AV but before the AS (sandbox-antispam-content). 
 
config system fortisandbox
   set scan-order {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content}
end
 
....but be aware this will add additional load to the sandbox.

Dr. Carl Windsor
Field Chief Technology Officer
Fortinet
#2
ede_pfau
Expert Member
  • Total Posts : 6050
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: FortiMail 200E/Sandbox Email Question 2018/12/10 13:48:09 (permalink)
0
The quirk in OP's setup is that he distrusts the anti-spam on the FML. In my experience, if you relax the AS measures a bit FML won't catch all but all that it catches is real SPAM. Especially by checking against the blacklist from FortiGuard.
As the (SPAM) mail has not yet been accepted (*) you can legally safe discard it then, and not quarantine it.
Quarantining SPAM is somehow...you could save a lot of energy and other cost if you just store every mail then.
 
(*)...if FML is working as mail relay or mail gateway, that is, in front.
 
In a typical environment I see 95% of all SPAM mails rejected because of blacklisting servers alone. If you push all that junk through your sandbox you will probably need a very big one.
 
But thanks Carl for that precious hint anyway.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#3
Carl Windsor_FTNT
Fortinet
  • Total Posts : 249
  • Scores: 42
  • Reward points: 0
  • Joined: 2012/05/02 03:09:16
  • Location: United Kingdom
  • Status: offline
Re: FortiMail 200E/Sandbox Email Question 2018/12/10 13:58:44 (permalink)
0
>In a typical environment I see 95% of all SPAM mails rejected because of blacklisting
>servers alone. If you push all that junk through your sandbox you will probably need a
>very big one.
 
Indeed, this is why the default is the more efficient method of detect as Spam first (less load) and then allow rescan on release to prevent the threats being released.

Dr. Carl Windsor
Field Chief Technology Officer
Fortinet
#4
Alexander Mueller
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/11/26 04:10:53
  • Status: offline
Re: FortiMail 200E/Sandbox Email Question 2019/08/22 23:29:05 (permalink)
0
HI,
 
its possible to change the order to content-antispam-fortisandbox,
 
because its only available {antispam-content-sandbox | sandbox-antispam-content | antispam-sandbox-content},
i would prefer first scan of our content and then antispam and sandbox
#5
Jump to:
© 2019 APG vNext Commercial Version 5.5