Appendix A - View Details page reference
When you click on the View Details icon, a new tab will open in your browser.
The following information are descriptions of the View Details page for:
- Last drill-down level of the FortiView pages
- Scan Input > File and URL On Demand
- File Detection > Malicious Files
- File Detection > Suspicious Files
- File Detection > Clean Files
- Job lists from Network Share scans and drill-down of Dashboard widget
FortiSandbox shows detailed forensic information of a job. They are grouped in three parts: Overview, Tree view, and Details.
The Overview tab shows overview information of a job, including input source, scan conditions, file type, etc. A global map is displayed to show the source and destination of the file or URL.
Item |
Description |
||
---|---|---|---|
File type |
The file type, High Risk Downloader for example. |
||
Virus Name |
The name of the virus. |
||
FortiGuard Encyclopedia Analysis |
Select to view the FortiGuard Encyclopedia analysis of the file if the file has a Malicious rating. This page provides analysis details, detection information, and recommended actions. |
||
Mark as clean (false positive) / Mark as suspicious (false negative) |
Select to mark the file as clean (false positive) or suspicious (false negative). This field is dependent on the file risk type. In the Apply Override Verdict dialog box type a comment and select Submit or Submit feedback to Cloud to send the file to the FortiGuard team for analysis. After a file has an overridden verdict, its future rating will be the overridden one until you reset the verdict. After a file's verdict is overridden, the job will be listed in the Scan Profile > Overridden Verdicts page for easy tracking. |
||
Export Job Details to Page |
Export the job details to a PDF report. |
||
Download Original File |
Download the password protected original file (
|
||
Received |
The date and time the file was received by FortiSandbox. |
||
Started |
The date and time the scan started and the timezone. |
||
Status |
The status of the scan. Status: Done, Canceled, Skipped, and Timed Out. |
||
Rated by |
Which scan module made the rating decision, such as the AV Scanner, FortiSandbox Community Cloud, Static File Scan or VM Engine. |
||
Submit Type |
The input source of the file such as FortiMail. |
||
Source IP |
|||
Destination IP |
The IP address of the client that downloaded the virus. |
||
Digital Signature |
The digital signature availability status of the scanned file. |
||
Scan Bypass Configuration |
When available, the scan bypass configuration will be displayed. |
||
SIMNET |
The SIMNET status when the scan is running. |
||
Virus Total |
By clicking the Virus Total link, a new page will open to query https://www.virustotal.com. Only a limited number of queries per minute is allowed without manual interaction with the Virus Total website. |
||
The Original Job of this Rescan Job |
Click the link to view the original job if this one is an AV rescan or On-Demand rescan job. |
||
Details Information |
View additional file information including the following: Packers, File Type, Downloaded From, File Size, Service, MD5, SHA1, SHA256, ID, Submitted By, Submitted Filename, Filename, Received, Scan Start Time, VM Scan Start Time, VM Scan End Time, VM Scan Time, Scan End Time, Total Scan Time, Scan Unit, Launched OS, Infected OS, and Anti Evasion Enabled. If the file is from FortiMail, Email related information, such as the Email Sender, Receiver, and Subject will also be shown. |
||
Indicators |
A summary of the Malware's behavior indicators if there are any. |
||
Behavior Summary |
View the file behavior summary. |
The Tree View shows a tree for file's static structure or file's parent-child process relationship when it executes inside a guest VM. You can drag the tree using the mouse and zoom in or out using the mouse wheel. If there is suspicious activity with one tree node, its label will be colored red. Clicking a node in the tree will open more information in tab format. Suspicious information is shown in the color red, so you can quickly locate it.
The Details part shows analysis details for each detection OS that is launched during the scan. It shows information in a different way from Tree View part. The following are details of information displayed:
Item |
Description |
|||
---|---|---|---|---|
Analysis Details |
View the following analysis details for each Detection OS that is launched during the scan. Each Detection OS's detail will be shown in a separate tab. The Infected OS will have a VM Infected icon in its tab title. If the Malware is detected by non-Sandboxing scan, such as FortiGuard static scan, the tab title is displayed as N/A. |
|||
|
Behavior Chronology Chart |
View the file's behavior over time and its density during its execution. Clean behaviors: green bubble. Suspicious behaviors: red, blue, or orange bubble. The higher the bubble, the more serious the event is. To view the event details, hover the mouse on top of the bubble. If a file scan is scanned with more than one VM type, the VM tab will dynamically switch to the chart for that type. If the file hits any imported YARA rule, a YARA tab will appear with detailed information. including:
|
||
|
Captured Packets |
Select the Captured Packets button to download the tracer PCAP file to your management computer.The packet capture (PCAP) file contains network traffic initiated by the file. You must have a network protocol analyzer installed on your management computer to view this file. The Captured Packets button is not available for all file types. |
||
|
Tracer Package |
Download the compressed
To see all dropped files by the file being scanned, use the -g argument. This generates a file named filemap.txt in the backup directory of the tracer package. |
||
|
Tracer Log |
A text file containing detailed information collected inside the Sandbox VM. |
||
|
STIX IOC |
Download the IOC in STIX2 format. |
||
|
Traffic Signature |
Displays the signatures of industrial application network traffic that are detected. Click the name to go to its FortiGuard page. |
||
|
IPS Signature |
Displays IPS signatures that are detected, the signatures are displayed. Click the name to go to its FortiGuard page. |
||
|
Screenshot |
Download screenshot images when the file was running in the sandbox. This image is not always available. |
||
|
YARA Hits |
If the file hits FortiSandbox internal YARA rules, detailed information is displayed. |
||
|
Office Behaviors |
Suspicious indicators detected by FortiGuard advanced Office file static scan engine. |
||
|
Virtual Simulator |
Suspicious indicators detected by FortiGuard advanced Web file static scan engine. |
||
|
Indicators |
A summary of behavior indicators, if available. When detailed information is available below, a question mark icon is displayed. When clicked, detailed information is displayed. For some operations, such as File Operations, users can download files in a password protected ZIP format. |
||
|
MITRE ATT&CK Matrix |
Displays malware's attack techniques and tactics. By default, a light version is displayed. Click the toggle button to swap between the Lite Matrix and Full Matrix. |
||
|
Botnet Info |
The botnet name and target IP address. |
||
|
Files Created |
The executable has been observed to drop some files. Click the Files Created dropdown icon to view the files created by the file. This field may not be available for all file types. |
||
|
Files Deleted |
This executable has been observed to delete some files. Click the Files Deleted dropdown icon to view the files deleted by the file. This field may not be available for all file types. |
||
|
File Modified |
The executable file has been observed to modify some files. |
||
|
Launched Processes |
The executable spawns some processes. Click the Launched Processes dropdown icon to view the processes launched by the file. This field may not be available for all file types. |
||
|
Registry Changes |
The executable applies autostart registry modifications to be able to start itself automatically. Click the Registry Changes dropdown icon to view the registry changed made by the file. This field may not be available for all file types. |
||
|
Network Behaviors |
Users that are infected by this executable will notice HTTP connections with certain URL/IP addresses. Click the Network Behaviors dropdown icon to view the network behavior of the file. This field may not be available for all file types. For certain document files, if they contain malicious URLs, those URLs are displayed here. Users can select a URL to display its detailed information, like rating history and visit volume history. |
||
|
Behaviors In Sequence |
The executable file's behavior during execution, in time sequence. |
||
|
Tracer/Rating Engine Version |
The tracer/rating package version is displayed at the bottom of the job detail page and in the PDF Report. |