Troubleshooting detection issues
Trace a file
Trace a file to follow the file's route. This is useful when you want to confirm that files are using the route you expect them to take on your network.
To trace a file, you need to know either its checksum or file name.
To trace a file with the checksum:
In the Log & Report > Events > All Events page, put the file’s checksum or name in the Message filter.
To trace a file with a file within a time-range:
- In the Scan Job > File Job Search page.
- In the Detection filter, set the time-range and then enter the file’s checksum.
- Click Show Detail to show the job’s detailed information.
Known malware not detected
If a known malware is not detected, check the following:
Issue | Recommendation | Description |
---|---|---|
Scan profile | Go to Scan Policy and Object > Scan Profile. |
Verify the filter settings have not changed. Check the logs to see if the Scan Profile was changed or a new signature was installed. |
Signature or rating engine | Go to System > FortiGuard. |
Check to see if a new AntiVirus Signature, Rating Engine, or Tracer Engine was installed. |
VM settings |
Go to Scan Policy and Object > VM Settings. |
The malware might not be able to run in certain VMs. |
Network | Go to Log & Report > Network Alerts | View the logs to see if a network condition was changed. |
Port3 connection | Go to System > Settings > VM External Network Access. | Check to see if the Port3 connection to the Internet was modified. |
Firmware | Go to Dashboard > Status > System Information widget. | Checkt to see if new firmware was installed. |
Execution condition | Go to Scan Policy and Object > Global Network. | If Global Network is enabled, check to see if the malware execution condition was changed, such as down C&C, time bomb, etc. |
Verdicts |
Go to:
|
Check the logs for any manual overridden verdicts, white/black list, or YARA rule modifications. The Detailed Report in Network Alerts shows how the file was rated. You can also compare the report with a previous version to troubleshoot further. |
Interface |
Go to System > Interfaces. |
Verify the path for the port3 next hop gateway for the policy is clean. |
Other |
|