Detection Settings

This page includes:

About detection settings

This page describes the Detection Settings tab inside each policy. For details on policies, see Policies.

The Detection Settings tab enables you to define various settings that affect the way that the FortiMail Browser Security extension detects malicious content in downloaded files and in websites.

To open the Detection Settings tab:

  1. In the FortiMail Browser Security console, select Policies.

  2. Click the required policy, and then click the Detection Settings tab.

Types of detection settings

The following types of detection settings can be configured in the Detection Settings tab for each policy:

File detection settings

Note:

  • The minimum scan time, even for very small download files, is about 2 seconds. This is because all files must be internally downloaded [fetched] - before they can be scanned.

File detection mode

 

 

 

Disabled

The browser extension will not scan downloaded files to determine if they are malicious.

Silent

The browser extension will scan downloaded files to determine if they are malicious. All scan results will be sent to FortiMail Workspace Security - and will appear in the Scans page.

  • Downloaded files will be available to users even if the files were found to be malicious, or could not be successfully scanned.

  • No indication is given to the user if a downloaded file is found to be malicious or could not be successfully scanned.

Warn

The browser extension will scan downloaded files to determine if they are malicious. All scan results will be sent to FortiMail Workspace Security.

  • Downloaded files will be available to users even if the files were found to be malicious, or could not be successfully scanned.

  • An indication [online user notification] is displayed to the user if a downloaded file is found to be malicious or could not be successfully scanned.

Block

The browser extension will scan downloaded files to determine if they are malicious. All scan results will be sent to FortiMail Workspace Security.

  • Downloaded files will NOT be available to users if the files were found to be malicious, or could not be successfully scanned.

  • Remediation: The browser extension will attempt to delete each detected malicious downloaded file or downloaded file that could not be successfully scanned.

  • An online user notification and a block page are displayed to the user if a downloaded file is found to be malicious or could not be successfully scanned.

Block large files and encrypted files that can’t be scanned

This setting has been replaced by the "Allow downloading files with clean scan verdicts only" setting - see below.

Allow downloading files with clean scan verdicts only

[This option appears only if the Block "file detection mode" is selected above]

When enabled, this option prevents end-users from downloading files that can’t be successfully scanned or that have Malicious scan verdicts. Only files with Clean scan verdicts can be downloaded.

Which files can't be successfully scanned:

  • Files that are too large to scan.

    By default, files up to 100 MB can be scanned - larger files can't be scanned. Contact FortiMail Workspace Security Support [support@perception-point.io] if you want to modify this setting.

  • Files that are encrypted - and the required password is not available. [See Ask users for file passwords below.]

  • Files that can't be scanned due to unforeseen technical errors during the scanning process.

When a file download is blocked due to this setting, a toast message will be shown to the user, and an event will be logged.

When this setting is not enabled, files that are too large to scan or that can't be decrypted will be made available to users without being scanned.

Limitation

This feature doesn't work on Safari browers.

Note: This option is NOT available when the "Prevent access to downloaded files until the scan is complete" option [see below] is disabled.

Prevent access to downloaded files until the scan is complete

[appears only if the Block or Warn "file detection mode" is selected above]

Prevents users from accessing downloaded files in the Downloads folder - while a file is being scanned. Only after the file has been fully scanned - and found to be clean - is it made available to the user [unless a timeout is enabled - see Limit file scan time below.].

This is called the "inline" scanning mode.

You can override this setting for specified domains. For details, see File access mode override.

Note:

  • This option appears only if Block mode or Warn mode is selected for file download detection. See File detection mode above.

  • If you enable this option, it is recommended that you set a browser policy that doesn't ask the user, before downloading a file, where to save the file. This helps the inline scanning mode to function as required.

    See also the official Chrome documentation and the official Microsoft documentation .

  • Because inline scans may take a while to complete, it is recommended that you set a timeout for the maximum scan duration. See Limit file scan time below.

Limit file scan time

[appears only if the Block or Warn "file detection mode" is selected above]

Limits the time that users must wait for a file to be scanned. If the timeout value is reached, the file will be downloaded and available to the user - even if the scan isn't complete.

The default timeout value is 15 seconds.

This time-limit setting is available only if:

  • "Prevent access to downloaded files until the scan is complete" above is enabled

    - and -

    "Allow downloading files with clean scan verdicts only" is not enabled.

Note:

The implemented timeout value may be slightly larger than the value specified here. This is because:

  • The timeout starts only after the file has been internally downloaded [fetched] - in preparation to be scanned.

  • The completion of the scan is checked only every 5 seconds - so in practice, up to 5 seconds may be added to the specified timeout value.

Ask users for file passwords

[appears only if the Warn or Block "file detection mode" is selected above]

When a user downloads a password-protected file, the user will be asked for the password to enable the file to be scanned.

  • Block mode only: If the "Allow downloading files with clean scan verdicts only" option [see above] is enabled, and the downloaded file couldn't be opened using the password, the file will not be downloaded and the file won't be made available to the user.

    In all other scenarios, the file will be downloaded and made available to the user - even if the file could not be scanned.

  • By default, the user has 2 minutes to enter the password.

Note: When a user tries to download a file that is password-protected, FortiMail Browser Security will try to open the file using a database of common passwords. If FortiMail Browser Security is able to open the file, the user will NOT be asked for the password, and FortiMail Browser Security will scan the file.

Skip scans for safe file types

[appears only if the Block or Warn "file detection mode" is selected above]

When enabled, the extension won't scan downloaded files that have the specified file extensions. It is recommended that you include only safe extensions in the ignore-scanning list.

The default extensions to ignore are: png, jpg, jpeg, and json

Website detection settings

Website detection mode

Configures the behavior of detecting malicious websites:

  • Disabled: Malicious website detection is not performed.

  • Silent: Malicious website detection is performed. Incidents are reported in the Scans page of FortiMail Workspace Security. There is no user interaction - users are able to access malicious websites, and are not informed about them.

  • Warn: Malicious website detection is performed. Incidents are reported in the Scans page of FortiMail Workspace Security. Warning messages about malicious websites are displayed to users. Users can select to continue to the malicious websites.

  • Block: Malicious website detection is performed. Incidents are reported in the Scans page of FortiMail Workspace Security. Warning messages about malicious websites are displayed to users. Users are not permitted to continue to malicious websites.

See also: About website access

  • Use the URL allow list in FortiMail Workspace Security to allow access to a specific website and "override" the standard detection mechanisms. For details, see Configuring the "URL allowlist".

  • Use the URL block list in FortiMail Workspace Security to block access to a specific website and "override" to the standard detection mechanisms. For details, see Configuring the "URL blocklist".

Monitor password reuse

Note: This option appears only if the Block or Warn detection mode is selected above.

When enabled, FortiMail Browser Security monitors end-users to determine when they reuse their passwords. Password reuse instances are included in the FortiMail Workspace Security event log.

  • Silent mode: End-users are not notified when they reuse their passwords.

  • Warn and Block modes: End-users are notified when they reuse their passwords.

Note: FortiMail Browser Security doesn't store any passwords. Instead, hash values of the passwords are stored. Password reuse detection is based on the stored hash values. The hash values are stored locally, and are never sent to any server.

Show warning on suspicious websites

Note: This option appears only if the Block or Warn detection mode is selected above.

When an end-user visits a website that originated in a suspicious or low reputation email*, then a warning will be displayed for the end-user. These users should then be careful when providing credentials or downloading files from that site.

A sender is classified as a low-reputation sender if the clean-ratio of the sender is low - that is, less than 10% of emails from that sender are clean.

When a warning is displayed, an entry is added to the Events log. The added event has the following Activity text: "Warning displayed about suspicious website"

Note: This functionality is available only if the organization has an email integration with FortiMail Workspace Security.

Monitor login activity

When this option is enabled, FortiMail Browser Security will record all browser-based login events. This may be helpful to support shadow IT detection and incident investigations. Login events are recorded in the events log, and displayed in the Events page. Each login event has the following Activity: "User logged in to website". For details on the Events page, see Events Page.

Browser extension detection settings

Note: This functionality is not yet available

FortiMail Browser Security scans the extensions that are installed on all protected browsers in your organization to determine if any of the extensions are malicious or suspicious. Each extension is assigned a verdict: Clean, Suspicious, or Malicious. In the Extension Analysis log, you can see the scan verdict that is assigned to every extension that is enabled in the organization. For more information, see Extension Analysis log details.

You can configure FortiMail Browser Security to disable extensions that are found to be Malicious. Details are shown below.

  • You can also use extension rules to disable [or allow] extensions. For details, see Extension rules.

    Precedence

    Scenario: An extension should be disabled due to its scan verdict. The same extension is allowed to be installed by an extension rule.

    Result: The verdict-based disablement takes precedence over the extension rule. The extension will be disabled.

Each time an extension is disabled by FortiMail Browser Security, based on the scan verdict of the extension, an event is added to the Extension Activity log. For details, see Events Page.

The effects of the extension detection mode are dependent on the scan verdict of each extension. For details about scan verdicts, see Scan Verdict.

Browser extension detection mode

 

 

 

Disabled

If a user enables an extension that has the Malicious verdict:

  • FortiMail Browser Security will NOT prevent the extension from being enabled.

  • An event will NOT be added to the Extension Activity log.

  • Details of the scan of the extension will appear in the Scans page of FortiMail Workspace Security.

  • The user will NOT be notified that the extension is malicious or suspicious.

Silent

If a user enables an extension that has the Malicious verdict:

  • FortiMail Browser Security will NOT prevent the extension from being enabled.

  • An event will be added to the Extension Activity log.

    • The event indicates that a malicious extension is currently enabled - and was not disabled by FortiMail Workspace Security.

  • Details of the scan of the extension will appear in the Scans page of FortiMail Workspace Security.

  • The user will NOT be notified that the extension is malicious or suspicious.

Warn

This mode is not available.

Block

If a user enables an extension that has the Malicious verdict:

  • The extension will be enabled - and then immediately disabled by FortiMail Browser Security.

  • Two events are added to the Extension Activity log:

    • The first event indicates that a malicious extension is currently enabled.

    • The second event indicates if the malicious extension was successfully disabled - or not.

  • Details of the scan of the extension will appear in the Scans page of FortiMail Workspace Security.

  • Users are NOT notified when an extension is disabled by FortiMail Workspace Security.

Block extensions with suspicious verdicts

[This option appears only if the Block "extension detection mode" is selected above]

This feature is not yet available.

When enabled, FortiMail Browser Security will disable all extensions that are assigned the Suspicious verdict - and prevent these extensions from being enabled.

When this setting is not enabled, extensions that are assigned the Suspicious verdict are not disabled and may be installed.

File uploads

Audit file uploads

  • Enabled: When enabled, successful and blocked user-attempts to upload files will be recorded in the "Extension Activity" log.

  • Disabled: When disabled, only blocked attempts to upload files will be recorded in the "Extension Activity" log. [Successful attempts will not be recorded.]

For information about how to configure whether or not blocked upload events are recorded, see Report events.

For details about the "Extension Activity" log, see Events Page.

Note: Recorded file upload attempts include the name of the uploaded file. File names of uploaded files may contain sensitive personal information.

Anti-tampering

Auto-close developer tools

When enabled, the extension will attempt to close the browser's "Developer Tools" - if the tools are opened by an end-user.

Custom messages for detection settings

It is possible to customize some of the messages that appear in detection block pages. For details, see Custom messages.

See also: