Detection Settings

This page includes:

About detection settings

This page describes the Detection Settings tab inside each policy. For details on policies, see Policies.

The Detection Settings tab enables you to define various settings that affect the way that the browser extension detects malicious content in downloaded files and in websites.

To open the Detection Settings tab:

  1. In the FortiMail Browser Security console, select Policies.

  2. Click the required policy, and then click the Detection Settings tab.

Types of detection settings

There are the following types of detection settings:

File detection options

Note:

  • The minimum scan time, even for very small download files, is about 2 seconds. This is because all files must be internally downloaded [fetched] - before they can be scanned.

File detection mode

 

 

 

Disabled

The browser extension will not scan downloaded files to determine if they are malicious.

Silent

The browser extension will scan downloaded files to determine if they are malicious. All scan results will be sent to FortiMail Workspace Security - and will appear in the Scans page.

  • Downloaded files will be available to users even if the files were found to be malicious, or could not be successfully scanned.

  • No indication is given to the user if a downloaded file is found to be malicious or could not be successfully scanned.

Warn

The browser extension will scan downloaded files to determine if they are malicious. All scan results will be sent to FortiMail Workspace Security.

  • Downloaded files will be available to users even if the files were found to be malicious, or could not be successfully scanned.

  • An indication [online user notification] is displayed to the user if a downloaded file is found to be malicious or could not be successfully scanned.

Block

The browser extension will scan downloaded files to determine if they are malicious. All scan results will be sent to FortiMail Workspace Security.

  • Downloaded files will NOT be available to users if the files were found to be malicious, or could not be successfully scanned.

  • Remediation: The browser extension will attempt to delete each detected malicious downloaded file or downloaded file that could not be successfully scanned.

  • An online user notification and a block page are displayed to the user if a downloaded file is found to be malicious or could not be successfully scanned.

Block large files and encrypted files that can’t be scanned

[This option appears only if the Block detection mode is selected above]

When enabled, blocks the following files:

  • Files that are too large to scan.

    By default, files up to 100 MB are scanned - larger files are not scanned. Contact FortiMail Workspace Security Support [support@perception-point.io] if you want to modify this setting.

  • Files that are encrypted - and that therefore can't be scanned.

When this setting is not enabled, files that are too large to scan or that are encrypted will be made available to users without being scanned.

Allow downloading files with clean scan verdicts only

[This option appears only if the Block detection mode is selected above]

[This option is not yet available]

When enabled, this option prevents end-users from downloading files that can’t be scanned or that have Malicious scan verdicts. Only files with clean scan verdicts can be downloaded.

Limitation

This feature doesn't work on Safari.

Note: This option is NOT available when the "Prevent access to downloaded files until the scan is complete" option [see below] is disabled.

Prevent access to downloaded files until the scan is complete

[appears only if the Block or Warn detection mode is selected above]

Prevents users from accessing downloaded files in the Downloads folder - while a file is being scanned. Only after the file has been fully scanned - and found to be clean - is it made available to the user [unless a timeout is enabled - see Limit file scan time below.].

This is called the "inline" scanning mode.

You can override this setting for specified domains. For details, see File access mode override.

Note:

  • This option appears only if Block mode or Warn mode is selected for file download detection. See File detection mode above.

  • If you enable this option, it is recommended that you set a browser policy that doesn't ask the user, before downloading a file, where to save the file. This helps the inline scanning mode to function as required.

    See also the official Chrome documentation and the official Microsoft documentation .

  • Because inline scans may take a while to complete, it is recommended that you set a timeout for the maximum scan duration. See Limit file scan time below.

Limit file scan time

[appears only if the Block or Warn detection mode is selected above]

Limits the time that users must wait for a file to be scanned. If the timeout value is reached, the file will be downloaded and available to the user - even if the scan isn't complete.

The default timeout value is 15 seconds.

This limit is available only if "Prevent access to downloaded files until the scan is complete" above is enabled [i.e. when the "inline" download mode is selected].

Note:

The implemented timeout value may be slightly larger than the value specified here. This is because:

  • The timeout starts only after the file has been internally downloaded [fetched] - in preparation to be scanned.

  • The completion of the scan is checked only every 5 seconds - so in practice, up to 5 seconds may be added to the specified timeout value.

Ask users for file passwords

[appears only if the Warn or Block mode is selected above]

Note: This feature will be available after 30 May 2025.

When a user downloads a password-protected file, the user will be asked for the password to enable the file to be scanned.

  • Block mode only: If the "Block large files and encrypted files that can’t be scanned" option [see above] is enabled, and the downloaded file couldn't be opened using the password, the file will not be downloaded and the file won't be made available to the user.

    In all other scenarios, the file will be downloaded and made available to the user - even if the file could not be scanned.

  • By default, the user has 2 minutes to enter the password.

Skip scans for safe file types

[appears only if the Block or Warn detection mode is selected above]

When enabled, the extension won't scan downloaded files that have the specified file extensions. It is recommended that you include only safe extensions in the ignore-scanning list.

The default extensions to ignore are: png, jpg, jpeg, and json

Website detection options

Website detection mode

Configures the behavior of detecting malicious websites:

  • Disabled: Malicious website detection is not performed.

  • Silent: Malicious website detection is performed. Incidents are reported in the Scans page of FortiMail Workspace Security. There is no user interaction - users are able to access malicious websites, and are not informed about them.

  • Warn: Malicious website detection is performed. Incidents are reported in the Scans page of FortiMail Workspace Security. Warning messages about malicious websites are displayed to users. Users can select to continue to the malicious websites.

  • Block: Malicious website detection is performed. Incidents are reported in the Scans page of FortiMail Workspace Security. Warning messages about malicious websites are displayed to users. Users are not permitted to continue to malicious websites.

See also: About website access

  • Use the URL allow list in FortiMail Workspace Security to allow access to a specific website and "override" the standard detection mechanisms. For details, see Configuring the "URL allowlist".

  • Use the URL block list in FortiMail Workspace Security to block access to a specific website and "override" to the standard detection mechanisms. For details, see Configuring the "URL blocklist".

Monitor password reuse

[appears only if the Block or Warn detection mode is selected above]

When enabled, FortiMail Browser Security monitors end-users to determine when they reuse their passwords. Password reuse instances are included in the FortiMail Workspace Security event log.

  • Silent mode: End-users are not notified when they reuse their passwords.

  • Warn and Block modes: End-users are notified when they reuse their passwords.

Note: FortiMail Browser Security doesn't store any passwords. Instead, hash values of the passwords are stored. Password reuse detection is based on the stored hash values. The hash values are stored locally, and are never sent to any server.

Show warning on suspicious websites

[appears only if the Block or Warn detection mode is selected above]

When an end-user visits a website that originated in a suspicious or low reputation email*, then a warning will be displayed for the end-user. These users should then be careful when providing credentials or downloading files from that site.

* A sender is classified as a low-reputation sender if the clean-ratio of the sender is low - that is, less than 10% of emails from that sender are clean.

Note: This functionality is available only if the organization has an email integration with FortiMail Workspace Security.

Monitor login activity

When this option is enabled, FortiMail Browser Security will record all browser-based login events. This may be helpful to support shadow IT detection and incident investigations. Login events are recorded in the events log, and displayed in the Events page. Each login event has the following Activity: "User logged in to website". For details on the Events page, see Events Page.

Extension detection options

Note: This functionality is not yet available

FortiMail Browser Security scans the extensions that are installed on all protected browsers in your organization to determine if any of the extensions are malicious or suspicious. When an extension is scanned and the scan verdict is Suspicious or Malicious, an entry will be added to the Scans page in FortiMail Workspace Security. For details, see Managing 3rd-Party Extensions.

  • In the Extension Analysis log, you can see the scan verdict that is assigned to any extension that is enabled in the organization. For details, see Managing 3rd-Party Extensions.

You can use the extension detection functionality in FortiMail Browser Security to disable extensions that are found to be Malicious or Suspicious. Each time an extension is disabled, an event is added to the Extension Activity log. For details, see Events Page.

  • For details on how to disable extensions based on extension rules, see Extension rules.

Extension detection mode

 

 

 

Disabled

If a user enables an extension that has the Malicious or Suspicious verdict, an event will NOT be added to the Extension Activity log, and the user will not be notified that the extension is malicious or suspicious.

Silent

  • If FortiMail Browser Security detects an extension that has the Malicious or Suspicious verdict, an event will be added to the Extension Activity log. For details, see Events Page. The extension will not be disabled.

  • If a user enables an extension that has the Malicious or Suspicious verdict, an event will be added to the Extension Activity log. For details, see Events Page. The user will not be prevented from enabling the extension.

The user will not be notified that the extension is malicious or suspicious.

Warn [This mode is currently not available]

If a user tries to enable an extension that has the Malicious or Suspicious verdict, the user will be warned that the extension is malicious or suspicious. The user will be able to continue to enable the extension, or to abort the attempt.

An event will be added to the Extension Activity log. For details, see Events Page.

Block

FortiMail Browser Security disables all extensions that are assigned the Malicious verdict. Each time an extension is disabled, two events are added to the Extension Activity log:

  • The first event indicates that a malicious extension is currently enabled.

  • The second event indicates if the malicious extension was successfully disabled - or not.

    For details, see Events Page.

  • Users are NOT notified when an extension is disabled.

If a user tries to enable an extension that has the Malicious verdict, the extension will be enabled - and then immediately disabled by FortiMail Browser Security.

An event will be added to the Extension Activity log indicating if the malicious extension was successfully disabled - or not. For details, see Events Page.

  • Suspicious extensions: You can configure the automatic disabling and blocking of suspicious extensions. For details, see Block extensions with suspicious verdicts below.

Block extensions with suspicious verdicts

[This option appears only if the Block extension detection mode is selected above]

When enabled, FortiMail Browser Security will disable all extensions that are assigned the Suspicious verdict - and prevent these extensions from being enabled.

When this setting is not enabled, extensions that are assigned the Suspicious verdict are not disabled.

File uploads

Audit file uploads

  • Enabled: When enabled, successful and blocked user-attempts to upload files will be recorded in the "Extension Activity" log.

  • Disabled: When disabled, only blocked attempts to upload files will be recorded in the "Extension Activity" log. [Successful attempts will not be recorded.]

For information about how to configure whether or not blocked upload events are recorded, see Report events.

For details about the "Extension Activity" log, see Events Page.

Note: Recorded file upload attempts include the name of the uploaded file. File names of uploaded files may contain sensitive personal information.

Anti-tampering

Auto-close developer tools

When enabled, the extension will attempt to close the browser's "Developer Tools" - if the tools are opened by an end-user.

See also: