Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    26.2.a
    26.2.a
    26.2.0
    26.1.b
    26.1.a
    26.1.0
    25.4.a
    25.4.0

    File Analysis

    File Analysis

    File analysis extracts files transferred over supported network protocols and inspects them for malicious content. Extracted files are automatically submitted for multi‑layered inspection using antivirus and AI‑driven detection engines.

    File Analysis provides advanced threat detection by inspecting files in transit across network protocols. Using the Antivirus (AV) engine and AI-driven analysis, the system identifies and logs malicious activity that may bypass standard network telemetry. When enabled, the system automatically extracts files and submits them for multi-layered inspection.

    Feature / Attribute

    Description
    Supported Protocols HTTP, SMB, FTP
    File Type Scope Limited to Windows Executable files (including .exe)
    Recursive Inspection

    For archive files, the signature corresponds to the first malicious file identified within the archive

    Size limit

    200 MB

    Detection Engines

    Detected threats are categorized by the engine:

    • AV Engine: Produces high-confidence detections for known malware.
    • AI Analysis Engine: An AI-based malware detection engine that analyzes file characteristics to identify zero-day or evolved threats. Files detected by the AI Engine contain AI.Pallas.Suspicious in the signature name.

    Event Metadata

    File analysis events are generated only for known or highly suspicious malicious files. Each event includes contextual data to support threat hunting and incident response. For more information, see File Analysis fields.

    Enabling File Analysis

    To enable File Analysis:
    1. Go to Settings > Sensors. The Sensor page opens.
    2. Click the Sensor ID. The sensor Status page opens.
    3. Click the Settings tab.
    4. Click Edit Features Settings.
    5. Enable the following options:

      Option

      Description

      Packet Inspection Engine

      • Fortinet DPI
        • File Scanning

    Interpreting File Analysis scores and signatures

    Use the following table to prioritize and triage file analysis events:

    Detection Type Score Confidence Level Analysis Guidance
    av_alert null Malicious Treat as malicious. A null score in this context indicates a high-confidence signature match.
    av_alert 100 Highly Suspicious

    High Confidence malicious match via AV signature.
    pallas_alert 100 Highly Suspicious AI engine has maximum confidence in malware classification.
    av_alert 90 - 99 Suspicious Strong signature match; warrants immediate investigation.
    pallas_alert 90 - 99 Suspicious

    High-probability AI detection; warrants immediate investigation.

    Pallas signatures will always include a Pallas score. AV signatures may not always include a score; any event with a null AV score must be treated as a confirmed malicious detection.

    Previous
    Next

    File Analysis

    File Analysis

    File analysis extracts files transferred over supported network protocols and inspects them for malicious content. Extracted files are automatically submitted for multi‑layered inspection using antivirus and AI‑driven detection engines.

    File Analysis provides advanced threat detection by inspecting files in transit across network protocols. Using the Antivirus (AV) engine and AI-driven analysis, the system identifies and logs malicious activity that may bypass standard network telemetry. When enabled, the system automatically extracts files and submits them for multi-layered inspection.

    Feature / Attribute

    Description
    Supported Protocols HTTP, SMB, FTP
    File Type Scope Limited to Windows Executable files (including .exe)
    Recursive Inspection

    For archive files, the signature corresponds to the first malicious file identified within the archive

    Size limit

    200 MB

    Detection Engines

    Detected threats are categorized by the engine:

    • AV Engine: Produces high-confidence detections for known malware.
    • AI Analysis Engine: An AI-based malware detection engine that analyzes file characteristics to identify zero-day or evolved threats. Files detected by the AI Engine contain AI.Pallas.Suspicious in the signature name.

    Event Metadata

    File analysis events are generated only for known or highly suspicious malicious files. Each event includes contextual data to support threat hunting and incident response. For more information, see File Analysis fields.

    Enabling File Analysis

    To enable File Analysis:
    1. Go to Settings > Sensors. The Sensor page opens.
    2. Click the Sensor ID. The sensor Status page opens.
    3. Click the Settings tab.
    4. Click Edit Features Settings.
    5. Enable the following options:

      Option

      Description

      Packet Inspection Engine

      • Fortinet DPI
        • File Scanning

    Interpreting File Analysis scores and signatures

    Use the following table to prioritize and triage file analysis events:

    Detection Type Score Confidence Level Analysis Guidance
    av_alert null Malicious Treat as malicious. A null score in this context indicates a high-confidence signature match.
    av_alert 100 Highly Suspicious

    High Confidence malicious match via AV signature.
    pallas_alert 100 Highly Suspicious AI engine has maximum confidence in malware classification.
    av_alert 90 - 99 Suspicious Strong signature match; warrants immediate investigation.
    pallas_alert 90 - 99 Suspicious

    High-probability AI detection; warrants immediate investigation.

    Pallas signatures will always include a Pallas score. AV signatures may not always include a score; any event with a null AV score must be treated as a confirmed malicious detection.

    Previous
    Next