9234 - MESGID_ANALYTICS_INFECT_WARNING
Message ID: 9234
Message Description: MESGID_ANALYTICS_INFECT_WARNING
Message Meaning: File reported infected by FortiSandbox (warning)
Type: Virus
Category: infected
Severity: Warning
Log Field Name |
Description |
Data Type |
Length |
---|---|---|---|
vrf |
|
uint16 |
3 |
virusid |
Virus ID (unique virus identifier) |
uint32 |
10 |
viruscat |
|
string |
32 |
virus |
Virus Name |
string |
128 |
vd |
VDOM name |
string |
32 |
user |
Username (authentication) |
string |
256 |
url |
The URL address |
string |
512 |
unauthusersource |
|
string |
66 |
unauthuser |
|
string |
66 |
tz |
Time Zone |
string |
5 |
type |
Log type |
string |
16 |
trueclntip |
|
ip |
39 |
transid |
|
uint32 |
10 |
to |
Email address(es) from the Email Headers (IMAP/POP3/SMTP) |
string |
512 |
time |
Time |
string |
8 |
subtype |
Subtype of the virus log |
string |
20 |
subservice |
|
string |
16 |
subject |
|
string |
256 |
srcuuid |
|
string |
37 |
srcport |
Source Port |
uint16 |
5 |
srcname |
|
string |
64 |
srcmac |
|
string |
17 |
srcip |
Source IP Address |
ip |
39 |
srcintfrole |
Source Interface's assigned role (LAN, WAN, etc.) |
string |
10 |
srcintf |
Source Interface |
string |
32 |
srcdomain |
|
string |
255 |
srccountry |
|
string |
64 |
sharename |
|
string |
256 |
sessionid |
Session ID |
uint32 |
10 |
service |
Proxy service which scanned this traffic |
string |
5 |
sender |
Email address from the SMTP envelope |
string |
128 |
referralurl |
|
string |
512 |
ref |
The URL of the FortiGuard IPS database entry for the attack |
string |
512 |
recipient |
Email addresses from the SMTP envelope |
string |
512 |
rawdata |
|
string |
20480 |
quarskip |
Quarantine skip explanation |
string |
46 |
psrcport |
|
uint16 |
5 |
proto |
Protocol number |
uint8 |
3 |
profile |
The name of the profile that was used to detect and take action |
string |
64 |
poluuid |
|
string |
37 |
policytype |
|
string |
24 |
policymode |
|
string |
8 |
policyid |
Policy ID |
uint32 |
10 |
pdstport |
|
uint16 |
5 |
pathname |
|
string |
256 |
msg |
Log message |
string |
4096 |
messageid |
|
string |
256 |
logid |
Log ID |
string |
10 |
level |
Log level |
string |
11 |
itype |
|
string |
16 |
icbverdict |
|
string |
5 |
icbseverity |
|
string |
11 |
icbfiletype |
|
string |
10 |
icbfileid |
|
string |
65 |
icbconfidence |
|
string |
6 |
icbaction |
|
string |
7 |
httpmethod |
|
string |
20 |
group |
Group name (authentication) |
string |
512 |
from |
Email address from the Email Headers (IMAP/POP3/SMTP) |
string |
128 |
forwardedfor |
|
string |
128 |
filetype |
File type |
string |
16 |
filename |
File name |
string |
256 |
filehashsrc |
Used by Outbreak Prevention External Hash: external source that provided the hash signature |
string |
32 |
filehash |
Used by Outbreak Prevention External Hash: the hash signature used in the detection |
string |
64 |
fctuid |
Forticlient user ID |
string |
32 |
eventtype |
Event type of AV |
string |
32 |
eventtime |
Time when detection occured |
uint64 |
20 |
dtype |
Data type for virus category |
string |
32 |
dstuuid |
|
string |
37 |
dstuser |
|
string |
256 |
dstport |
Destination Port |
uint16 |
5 |
dstip |
Destination IP Address |
ip |
39 |
dstintfrole |
Destination Interface's assigned role (LAN, WAN, etc.) |
string |
10 |
dstintf |
Destination Interface |
string |
32 |
dstcountry |
|
string |
64 |
dstauthserver |
|
string |
64 |
direction |
Message/packets direction |
string |
8 |
devid |
|
string |
16 |
date |
Date |
string |
10 |
crscore |
Threat Weight Score |
uint32 |
10 |
crlevel |
Threat Weight Level |
string |
10 |
craction |
Threat Weight action |
uint32 |
10 |
contentdisarmed |
Content Disarm action- eg. disarmed, detected |
string |
13 |
checksum |
The checksum of the scanned file |
string |
16 |
cdrcontent |
|
string |
256 |
cc |
|
string |
512 |
authserver |
Server used to authenticate the involved user |
string |
64 |
attachment |
|
string |
3 |
analyticssubmit |
The flag for analytics submission |
string |
10 |
analyticscksum |
The checksum of the file submitted for analytics |
string |
64 |
agent |
User agent - eg. agent="Mozilla/5.0" |
string |
1024 |
action |
The status of the session: blocked - Blocked infected file by AV engine passthrough - Allowed by AV engine monitored - Log, but do NOT block infected file analytics - Submitted to Sandbox for analysis |
string |
18 |