Fortinet black logo

Troubleshooting detection issues

Copy Link
Copy Doc ID 62073081-9e3d-11eb-b70b-00505692583a:184240
Download PDF

Troubleshooting detection issues

Trace a file

Trace a file to follow the file's route. This is useful when you want to confirm that files are using the route you expect them to take on your network.

To trace a file, you need to know either its checksum or file name.

To trace a file with the checksum:

In the Log & Report > Events > All Events page, put the file’s checksum or name in the Message filter.

To trace a file with a file within a time-range:
  1. In the Scan Job > File Job Search page.
  2. In the Detection filter, set the time-range and then enter the file’s checksum.
  3. Click Show Detail to show the job’s detailed information.

Known malware not detected

If a known malware is not detected, check the following:

Issue Recommendation Description
Scan profile Go to Scan Policy and Object > Scan Profile.

Verify the filter settings have not changed.

Check the logs to see if the Scan Profile was changed or a new signature was installed.

Signature or rating engine Go to System > FortiGuard.

Check to see if a new AntiVirus Signature, Rating Engine, or Tracer Engine was installed.

VM settings

Go to Scan Policy and Object > VM Settings.

The malware might not be able to run in certain VMs.

Network Go to Log & Report > Network Alerts View the logs to see if a network condition was changed.
Port3 connection Go to Scan Policy and Object > General Settings. Check to see if the Port3 connection to the Internet was modified.
Firmware Go to Dashboard > Status > System Information widget. Checkt to see if new firmware was installed.
Execution condition Go to Scan Policy and Object > Global Network. If Global Network is enabled, check to see if the malware execution condition was changed, such as down C&C, time bomb, etc.

Verdicts

Go to:

  • Scan Policy and Object > Allowlist/Blocklist
  • Scan Policy and Object > Yara Rules
  • Scan Job > Overridden Verdicts
  • Log & Report > Network Alerts

Check the logs for any manual overridden verdicts, white/black list, or YARA rule modifications.

The Detailed Report in Network Alerts shows how the file was rated. You can also compare the report with a previous version to troubleshoot further.

Interface

Go to System > Interfaces.

Verify the path for the port3 next hop gateway for the policy is clean.

Other

  • Try an On-Demand scan of the malware and use the VM Interaction and Scan video features.
  • Contact Fortinet Support for possible rating/tracer engine bugs.
  • Report to fsa_submit@fortinet.com for further investigation.

Troubleshooting detection issues

Trace a file

Trace a file to follow the file's route. This is useful when you want to confirm that files are using the route you expect them to take on your network.

To trace a file, you need to know either its checksum or file name.

To trace a file with the checksum:

In the Log & Report > Events > All Events page, put the file’s checksum or name in the Message filter.

To trace a file with a file within a time-range:
  1. In the Scan Job > File Job Search page.
  2. In the Detection filter, set the time-range and then enter the file’s checksum.
  3. Click Show Detail to show the job’s detailed information.

Known malware not detected

If a known malware is not detected, check the following:

Issue Recommendation Description
Scan profile Go to Scan Policy and Object > Scan Profile.

Verify the filter settings have not changed.

Check the logs to see if the Scan Profile was changed or a new signature was installed.

Signature or rating engine Go to System > FortiGuard.

Check to see if a new AntiVirus Signature, Rating Engine, or Tracer Engine was installed.

VM settings

Go to Scan Policy and Object > VM Settings.

The malware might not be able to run in certain VMs.

Network Go to Log & Report > Network Alerts View the logs to see if a network condition was changed.
Port3 connection Go to Scan Policy and Object > General Settings. Check to see if the Port3 connection to the Internet was modified.
Firmware Go to Dashboard > Status > System Information widget. Checkt to see if new firmware was installed.
Execution condition Go to Scan Policy and Object > Global Network. If Global Network is enabled, check to see if the malware execution condition was changed, such as down C&C, time bomb, etc.

Verdicts

Go to:

  • Scan Policy and Object > Allowlist/Blocklist
  • Scan Policy and Object > Yara Rules
  • Scan Job > Overridden Verdicts
  • Log & Report > Network Alerts

Check the logs for any manual overridden verdicts, white/black list, or YARA rule modifications.

The Detailed Report in Network Alerts shows how the file was rated. You can also compare the report with a previous version to troubleshoot further.

Interface

Go to System > Interfaces.

Verify the path for the port3 next hop gateway for the policy is clean.

Other

  • Try an On-Demand scan of the malware and use the VM Interaction and Scan video features.
  • Contact Fortinet Support for possible rating/tracer engine bugs.
  • Report to fsa_submit@fortinet.com for further investigation.