Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Best Practices

    Home FortiSandbox 4.2.0 Best Practices
    4.2.0
    5.0.0
    4.4.0
    4.2.0
    4.0.0
    3.2.0
    3.1.0
    3.0.0

    Troubleshooting detection issues

    Troubleshooting detection issues

    Trace a file

    Trace a file to follow the file's route. This is useful when you want to confirm that files are using the route you expect them to take on your network.

    To trace a file, you need to know either its checksum or file name.

    To trace a file with the checksum:

    In the Log & Report > Events > All Events page, put the file’s checksum or name in the Message filter.

    To trace a file with a file within a time-range:
    1. In the Scan Job > File Job Search page.
    2. In the Detection filter, set the time-range and then enter the file’s checksum.
    3. Click Show Detail to show the job’s detailed information.

    Known malware not detected

    If a known malware is not detected, check the following:

    Issue Recommendation Description
    Scan profile Go to Scan Policy and Object > Scan Profile.

    Verify the filter settings have not changed.

    Check the logs to see if the Scan Profile was changed or a new signature was installed.

    Signature or rating engine Go to System > FortiGuard.

    Check to see if a new AntiVirus Signature, Rating Engine, or Tracer Engine was installed.

    VM settings

    Go to Scan Policy and Object > VM Settings.

    The malware might not be able to run in certain VMs.
    Network Go to Log & Report > Network Alerts View the logs to see if a network condition was changed.
    Port3 connection Go to Scan Policy and Object > General Settings. Check to see if the Port3 connection to the Internet was modified.
    Firmware Go to Dashboard > Status > System Information widget. Checkt to see if new firmware was installed.
    Execution condition Go to Scan Policy and Object > Global Network. If Global Network is enabled, check to see if the malware execution condition was changed, such as down C&C, time bomb, etc.

    Verdicts

    Go to:

    • Scan Policy and Object > Allowlist/Blocklist
    • Scan Policy and Object > Yara Rules
    • Scan Job > Overridden Verdicts
    • Log & Report > Network Alerts

    Check the logs for any manual overridden verdicts, white/black list, or YARA rule modifications.

    The Detailed Report in Network Alerts shows how the file was rated. You can also compare the report with a previous version to troubleshoot further.

    Interface

    Go to System > Interfaces.

    Verify the path for the port3 next hop gateway for the policy is clean.

    Other

    • Try an On-Demand scan of the malware and use the VM Interaction and Scan video features.
    • Contact Fortinet Support for possible rating/tracer engine bugs.
    • Report to fsa_submit@fortinet.com for further investigation.
    Previous
    Next

    Troubleshooting detection issues

    Troubleshooting detection issues

    Trace a file

    Trace a file to follow the file's route. This is useful when you want to confirm that files are using the route you expect them to take on your network.

    To trace a file, you need to know either its checksum or file name.

    To trace a file with the checksum:

    In the Log & Report > Events > All Events page, put the file’s checksum or name in the Message filter.

    To trace a file with a file within a time-range:
    1. In the Scan Job > File Job Search page.
    2. In the Detection filter, set the time-range and then enter the file’s checksum.
    3. Click Show Detail to show the job’s detailed information.

    Known malware not detected

    If a known malware is not detected, check the following:

    Issue Recommendation Description
    Scan profile Go to Scan Policy and Object > Scan Profile.

    Verify the filter settings have not changed.

    Check the logs to see if the Scan Profile was changed or a new signature was installed.

    Signature or rating engine Go to System > FortiGuard.

    Check to see if a new AntiVirus Signature, Rating Engine, or Tracer Engine was installed.

    VM settings

    Go to Scan Policy and Object > VM Settings.

    The malware might not be able to run in certain VMs.
    Network Go to Log & Report > Network Alerts View the logs to see if a network condition was changed.
    Port3 connection Go to Scan Policy and Object > General Settings. Check to see if the Port3 connection to the Internet was modified.
    Firmware Go to Dashboard > Status > System Information widget. Checkt to see if new firmware was installed.
    Execution condition Go to Scan Policy and Object > Global Network. If Global Network is enabled, check to see if the malware execution condition was changed, such as down C&C, time bomb, etc.

    Verdicts

    Go to:

    • Scan Policy and Object > Allowlist/Blocklist
    • Scan Policy and Object > Yara Rules
    • Scan Job > Overridden Verdicts
    • Log & Report > Network Alerts

    Check the logs for any manual overridden verdicts, white/black list, or YARA rule modifications.

    The Detailed Report in Network Alerts shows how the file was rated. You can also compare the report with a previous version to troubleshoot further.

    Interface

    Go to System > Interfaces.

    Verify the path for the port3 next hop gateway for the policy is clean.

    Other

    • Try an On-Demand scan of the malware and use the VM Interaction and Scan video features.
    • Contact Fortinet Support for possible rating/tracer engine bugs.
    • Report to fsa_submit@fortinet.com for further investigation.
    Previous
    Next