Fortinet white logo
Fortinet white logo

Administration Guide

Appendix B- Job Details page reference

Appendix B- Job Details page reference

Note

You can create custom VMs using pre-configured VMs, your own ISO image, or Red Hat VMs on VirtualBox. For more information, contact Fortinet Customer Service & Support.

For information on hard disk hot-swapping procedure, system recovery procedure using Rescue Mode, and password reset procedure, see the FortiSandbox Best Practices and Troubleshooting Guide in the Fortinet Document Library.

When you click the Job Details icon, a new browser tab opens showing detailed forensic information of a job. The information is in three tabs: Overview, Tree view, and Details.

The Overview tab shows overview information of a job, including input source, scan conditions, file type, and so on. A global map shows the source and destination of the file or URL.

Item

Description

File type

File type, for example, exe.

Virus Name

Name of the virus.

FortiGuard Encyclopedia Analysis

Select to view the FortiGuard Encyclopedia analysis of the file if the file has a Malicious rating. This page provides analysis details, detection information, and recommended actions.

Mark as clean (false positive) / Mark as suspicious (false negative)

Select to mark the file as clean (false positive) or suspicious (false negative). This field is dependent on the file risk type. In the Apply Override Verdict dialog box type a comment and select Submit or Submit feedback to Cloud to send the file to the FortiGuard team for analysis. The default setting of Submit feedback to cloud follows the setting of Contribute detected suspicious files to FortiSandbox Community Cloud in Scan Profile > Advanced.

After a file has an overridden verdict, its future rating will be the overridden one until you reset the verdict.

After a file's verdict is overridden, the job will be listed in the Scan Job > Overridden Verdicts page for easy tracking.

Export Job Details to Page

Export the job details to a PDF report.

Download Original File

Download the password protected original file (.zip format) to your management computer for further analysis. The default password for this file is fortisandbox.

Caution

Unzip the original file only on a management computer in an analysis environment.

Received

The date and time the file was received by FortiSandbox.

Started

The date and time the scan started and the timezone.

Status

The status of the scan. Status: Done, Canceled, Skipped, and Timed Out.

Rated by

The source of the rating decision. The following are the sources by scan module:

Static Scan related:

AV Scan Engine, Sandbox Community Cloud, Static Scan Engine, Yara Scan Engine, Dynamic Scan Cache, Allowlist/Blocklist, FortiGuard Allowlist/Blocklist, Overriden Verdicts and Fabric Device (FortiNDR).

Dynamic Scan related:

Dynamic Scan, Dynamic Scan (MacOS Cloud), Dynamic Scan (Cloud), Customized Rating and Real-time Zero-Day Anti-Phishing Service.

The module names have been changed since v4.2.0. If you require the previous module names for mapping, please contact Customer Support.

Submit Type

The input source of the file such as FortiMail.

Source IP

The malware host IP address.

Destination IP

The IP address of the client that downloaded the virus.

Digital Signature

The digital signature availability status of the scanned file.

AI Mode

Whether AI mode is on or off.

Deep-AI Mode

Whether Deep AI mode is on or off.

Scan Bypass Configuration

When available, the scan bypass configuration will be displayed.

SIMNET

The SIMNET status when the scan is running.

Depth

The URL level to do the recursive scan.

Region

WindowsCloudVM region.

Timeout Value

File/URL scan timeout setting.

Virus Total

By clicking the Virus Total link, a new page will open to query https://www.virustotal.com.

Only a limited number of queries per minute is allowed without manual interaction with the Virus Total website.

URL and Payloads

For Submitted URL which has payloads, this field displays a color-coded rating for URL and its payloads.

Archive Files

For archive files and its children, this field displays a color-coded rating for parent archive file and each children, so that you can quickly identify different ratings for each child.

The Original Job of this Rescan Job

Click the link to view the original job if this one is an AV rescan or On-Demand rescan job.

Details Information

View additional file information including the following: Packers, File Type,Original URL/URL, File Size, Service, MD5, SHA1, SHA256, ID, Submitted By, Submitted Filename, Filename, Scan Start Time, VM Scan Start Time, VM Scan End Time, VM Scan Time, Scan End Time, Total Scan Time, Scan Unit, Redirect URL, Embedded URL number, No VM Reason (reason why sample was not scanned inside VM), VM Reason (reason why sample entered into VM), Launched OS (VM type), Specified Browser, Launched Browser, Pipeline mode OS (if rated by pipeline mode VM ), Infected OS, Anti Evasion Triggers. Password Protected (For PDF and Office file only, showing whether the file is password protected and successfully extracted or not) and URL Category.

If the sample is from FortiMail, Email related information, such as the Email Sender, Receiver, Client IP, From, To, and Subject will also be shown.

If the sample is from Adapter, Adapter IP address and Email related information, such as BCC-Agent Sender and BCC-Agent Receiver will also be shown.

If the sample is a URL and scanned by Real-time Zero-Day Anti-Phishing Server, Real-time Zero-Day Anti-Phishing Service and Phishing URL target will be shown. Additionally, if there is a screenshot available to download, then a download button will be shown after the URL Category.

If the phishing service is enabled but the URL samples are not scanned in the Phishing server, the job details will show the No VM reason and Real-time Zero-Day Anti-Phishing prefilter version.

Indicators

A summary of the Malware's behavior indicators if there are any.

Rating

The rating is the final verdict of the FortiSandbox on the scan job based on the collected behavioral activities and static analysis. The assessment of their risk and impact is based on our FortiGuard Threat Intelligence of previously-known malware.

Ratings include Malware, High risk, Medium risk, Low risk, Clean and Unknown.

VM Interaction

When Interaction mode is enabled before jobs are submitted, VM Interaction displays Raw and the Status is ON. When Interaction is disabled VM Interaction is not displayed in the Overview page.

Video Record

When Record Video is enabled, Video Record displays ON. When Record Video is disabled, Video Record is not displayed.

The Tree View tab shows a tree for file's static structure or file's parent-child process relationship when it executes inside a guest VM. You can drag the tree using the mouse and zoom in or out using the mouse wheel. If there is suspicious activity with one tree node, its label will be colored red. Clicking a node in the tree will open more information in tab format. Suspicious information is shown in the color red, so you can quickly locate it.

The Details tab shows analysis details for each detection OS that is launched during the scan as a table. If the remote VM is a WindowsCloudVM launched in overflow mode, the launched OS will appear as windowscloudvm(overflow) (for more information, see VM Settings > Remote Windows).

The following are details of information displayed:

Item

Description

Analysis Details

View the following analysis details for each Detection OS that is launched during the scan. Each Detection OS's detail will be shown in a separate tab. The Infected OS will have a VM Infected icon in its tab title.

If the Malware is detected by non-Sandboxing scan, such as FortiGuard static scan, the tab title is displayed as N/A.

Behavior Chronology Chart

View the file's behavior over time and its density during its execution.

Clean behaviors: green bubble.

Suspicious behaviors: red, blue, or orange bubble.

The higher the bubble, the more serious the event is.

To view the event details, hover the mouse on top of the bubble.

If a file scan is scanned with more than one VM type, the VM tab will dynamically switch to the chart for that type.

If the file hits any imported YARA rule, a YARA tab will appear with detailed information. including:

  • The hit rule
  • Rule's risk level
  • Rule set name
  • Link to original YARA rule file

Captured Packets

Select the Captured Packets button to download the tracer PCAP file to your management computer.The packet capture (PCAP) file contains network traffic initiated by the file. You must have a network protocol analyzer installed on your management computer to view this file.

The Captured Packets button is not available for all file types.

Tracer Package

Download the compressed .tar file containing the tracer log and related files. The password protected /backup folder in the tracer log contains information about the program’s execution. The default password for this file is fortisandbox.

Caution

Unzip the tracer log only on a management computer in an analysis environment.

When downloading the tracer package for an executable file within an archive, the downloaded package will include the parent archive file.

Tracer Log

A text file containing detailed information collected inside the Sandbox VM.

STIX IOC

Download the IOC in STIX2 format.

Traffic Signature

Displays the signatures of industrial application network traffic that are detected. Click the name to go to its FortiGuard page.

IPS Signature

Displays IPS signatures that are detected, the signatures are displayed. Click the name to go to its FortiGuard page.

Screenshot

Download screenshot images when the file was running in the sandbox. This image is not always available.

YARA Hits

If the file hits FortiSandbox internal YARA rules, detailed information is displayed.

Office Behaviors

Suspicious indicators detected by FortiGuard advanced Office file static scan engine.

Virtual Simulator

Suspicious indicators detected by FortiGuard advanced Web file static scan engine.

Indicators

A summary of behavior indicators, if available.

When detailed information is available below, a question mark icon is displayed. When clicked, detailed information is displayed. For some operations, such as File Operations, users can download files in a password protected ZIP format.

MITRE ATT&CK V11 Matrix

Displays malware's attack techniques and tactics.

The MITRE supports V11. FortiSandbox displays the supported version on the Details page.

By default, a light version is displayed. Click the toggle button to swap between the Lite Matrix and Full Matrix.

Botnet Info

The botnet name and target IP address.

Files Operations

The file-related operations, includes Created/Deleted/Renamed/Modified/Set Attributes.

Registry Operations

The registry-related operations, includes Created/Deleted.

Memory Operations

The memory-related operations, includes Process Related/Process Created/Process Created and Injected/Written.

Network Operations

Users that are infected by this executable will notice HTTP connections with certain URL/IP addresses.

Click the Network Behaviors dropdown icon to view the network behavior of the file. This field may not be available for all file types.

For certain document files, if they contain malicious URLs, those URLs are displayed here. Users can select a URL to display its detailed information, like rating history and visit volume history.

Embedded urls

For PDFs, Office and HTML files, if the file contains embedded URLs or QR code, a maximum of three URLs and three QR codes can be scanned inside VM and listed here.

For more information on how to enable sandboxing embedded URL/QR code, see the FortiSandbox CLI Reference Guide.

Behaviors In Sequence

The executable file's behavior during execution, in time sequence.

Tracer/Rating Engine Version

The tracer/rating package version is displayed at the bottom of the job detail page and in the PDF Report.

Video Download Link

Download the video when the Record Video is enabled.

Appendix B- Job Details page reference

Appendix B- Job Details page reference

Note

You can create custom VMs using pre-configured VMs, your own ISO image, or Red Hat VMs on VirtualBox. For more information, contact Fortinet Customer Service & Support.

For information on hard disk hot-swapping procedure, system recovery procedure using Rescue Mode, and password reset procedure, see the FortiSandbox Best Practices and Troubleshooting Guide in the Fortinet Document Library.

When you click the Job Details icon, a new browser tab opens showing detailed forensic information of a job. The information is in three tabs: Overview, Tree view, and Details.

The Overview tab shows overview information of a job, including input source, scan conditions, file type, and so on. A global map shows the source and destination of the file or URL.

Item

Description

File type

File type, for example, exe.

Virus Name

Name of the virus.

FortiGuard Encyclopedia Analysis

Select to view the FortiGuard Encyclopedia analysis of the file if the file has a Malicious rating. This page provides analysis details, detection information, and recommended actions.

Mark as clean (false positive) / Mark as suspicious (false negative)

Select to mark the file as clean (false positive) or suspicious (false negative). This field is dependent on the file risk type. In the Apply Override Verdict dialog box type a comment and select Submit or Submit feedback to Cloud to send the file to the FortiGuard team for analysis. The default setting of Submit feedback to cloud follows the setting of Contribute detected suspicious files to FortiSandbox Community Cloud in Scan Profile > Advanced.

After a file has an overridden verdict, its future rating will be the overridden one until you reset the verdict.

After a file's verdict is overridden, the job will be listed in the Scan Job > Overridden Verdicts page for easy tracking.

Export Job Details to Page

Export the job details to a PDF report.

Download Original File

Download the password protected original file (.zip format) to your management computer for further analysis. The default password for this file is fortisandbox.

Caution

Unzip the original file only on a management computer in an analysis environment.

Received

The date and time the file was received by FortiSandbox.

Started

The date and time the scan started and the timezone.

Status

The status of the scan. Status: Done, Canceled, Skipped, and Timed Out.

Rated by

The source of the rating decision. The following are the sources by scan module:

Static Scan related:

AV Scan Engine, Sandbox Community Cloud, Static Scan Engine, Yara Scan Engine, Dynamic Scan Cache, Allowlist/Blocklist, FortiGuard Allowlist/Blocklist, Overriden Verdicts and Fabric Device (FortiNDR).

Dynamic Scan related:

Dynamic Scan, Dynamic Scan (MacOS Cloud), Dynamic Scan (Cloud), Customized Rating and Real-time Zero-Day Anti-Phishing Service.

The module names have been changed since v4.2.0. If you require the previous module names for mapping, please contact Customer Support.

Submit Type

The input source of the file such as FortiMail.

Source IP

The malware host IP address.

Destination IP

The IP address of the client that downloaded the virus.

Digital Signature

The digital signature availability status of the scanned file.

AI Mode

Whether AI mode is on or off.

Deep-AI Mode

Whether Deep AI mode is on or off.

Scan Bypass Configuration

When available, the scan bypass configuration will be displayed.

SIMNET

The SIMNET status when the scan is running.

Depth

The URL level to do the recursive scan.

Region

WindowsCloudVM region.

Timeout Value

File/URL scan timeout setting.

Virus Total

By clicking the Virus Total link, a new page will open to query https://www.virustotal.com.

Only a limited number of queries per minute is allowed without manual interaction with the Virus Total website.

URL and Payloads

For Submitted URL which has payloads, this field displays a color-coded rating for URL and its payloads.

Archive Files

For archive files and its children, this field displays a color-coded rating for parent archive file and each children, so that you can quickly identify different ratings for each child.

The Original Job of this Rescan Job

Click the link to view the original job if this one is an AV rescan or On-Demand rescan job.

Details Information

View additional file information including the following: Packers, File Type,Original URL/URL, File Size, Service, MD5, SHA1, SHA256, ID, Submitted By, Submitted Filename, Filename, Scan Start Time, VM Scan Start Time, VM Scan End Time, VM Scan Time, Scan End Time, Total Scan Time, Scan Unit, Redirect URL, Embedded URL number, No VM Reason (reason why sample was not scanned inside VM), VM Reason (reason why sample entered into VM), Launched OS (VM type), Specified Browser, Launched Browser, Pipeline mode OS (if rated by pipeline mode VM ), Infected OS, Anti Evasion Triggers. Password Protected (For PDF and Office file only, showing whether the file is password protected and successfully extracted or not) and URL Category.

If the sample is from FortiMail, Email related information, such as the Email Sender, Receiver, Client IP, From, To, and Subject will also be shown.

If the sample is from Adapter, Adapter IP address and Email related information, such as BCC-Agent Sender and BCC-Agent Receiver will also be shown.

If the sample is a URL and scanned by Real-time Zero-Day Anti-Phishing Server, Real-time Zero-Day Anti-Phishing Service and Phishing URL target will be shown. Additionally, if there is a screenshot available to download, then a download button will be shown after the URL Category.

If the phishing service is enabled but the URL samples are not scanned in the Phishing server, the job details will show the No VM reason and Real-time Zero-Day Anti-Phishing prefilter version.

Indicators

A summary of the Malware's behavior indicators if there are any.

Rating

The rating is the final verdict of the FortiSandbox on the scan job based on the collected behavioral activities and static analysis. The assessment of their risk and impact is based on our FortiGuard Threat Intelligence of previously-known malware.

Ratings include Malware, High risk, Medium risk, Low risk, Clean and Unknown.

VM Interaction

When Interaction mode is enabled before jobs are submitted, VM Interaction displays Raw and the Status is ON. When Interaction is disabled VM Interaction is not displayed in the Overview page.

Video Record

When Record Video is enabled, Video Record displays ON. When Record Video is disabled, Video Record is not displayed.

The Tree View tab shows a tree for file's static structure or file's parent-child process relationship when it executes inside a guest VM. You can drag the tree using the mouse and zoom in or out using the mouse wheel. If there is suspicious activity with one tree node, its label will be colored red. Clicking a node in the tree will open more information in tab format. Suspicious information is shown in the color red, so you can quickly locate it.

The Details tab shows analysis details for each detection OS that is launched during the scan as a table. If the remote VM is a WindowsCloudVM launched in overflow mode, the launched OS will appear as windowscloudvm(overflow) (for more information, see VM Settings > Remote Windows).

The following are details of information displayed:

Item

Description

Analysis Details

View the following analysis details for each Detection OS that is launched during the scan. Each Detection OS's detail will be shown in a separate tab. The Infected OS will have a VM Infected icon in its tab title.

If the Malware is detected by non-Sandboxing scan, such as FortiGuard static scan, the tab title is displayed as N/A.

Behavior Chronology Chart

View the file's behavior over time and its density during its execution.

Clean behaviors: green bubble.

Suspicious behaviors: red, blue, or orange bubble.

The higher the bubble, the more serious the event is.

To view the event details, hover the mouse on top of the bubble.

If a file scan is scanned with more than one VM type, the VM tab will dynamically switch to the chart for that type.

If the file hits any imported YARA rule, a YARA tab will appear with detailed information. including:

  • The hit rule
  • Rule's risk level
  • Rule set name
  • Link to original YARA rule file

Captured Packets

Select the Captured Packets button to download the tracer PCAP file to your management computer.The packet capture (PCAP) file contains network traffic initiated by the file. You must have a network protocol analyzer installed on your management computer to view this file.

The Captured Packets button is not available for all file types.

Tracer Package

Download the compressed .tar file containing the tracer log and related files. The password protected /backup folder in the tracer log contains information about the program’s execution. The default password for this file is fortisandbox.

Caution

Unzip the tracer log only on a management computer in an analysis environment.

When downloading the tracer package for an executable file within an archive, the downloaded package will include the parent archive file.

Tracer Log

A text file containing detailed information collected inside the Sandbox VM.

STIX IOC

Download the IOC in STIX2 format.

Traffic Signature

Displays the signatures of industrial application network traffic that are detected. Click the name to go to its FortiGuard page.

IPS Signature

Displays IPS signatures that are detected, the signatures are displayed. Click the name to go to its FortiGuard page.

Screenshot

Download screenshot images when the file was running in the sandbox. This image is not always available.

YARA Hits

If the file hits FortiSandbox internal YARA rules, detailed information is displayed.

Office Behaviors

Suspicious indicators detected by FortiGuard advanced Office file static scan engine.

Virtual Simulator

Suspicious indicators detected by FortiGuard advanced Web file static scan engine.

Indicators

A summary of behavior indicators, if available.

When detailed information is available below, a question mark icon is displayed. When clicked, detailed information is displayed. For some operations, such as File Operations, users can download files in a password protected ZIP format.

MITRE ATT&CK V11 Matrix

Displays malware's attack techniques and tactics.

The MITRE supports V11. FortiSandbox displays the supported version on the Details page.

By default, a light version is displayed. Click the toggle button to swap between the Lite Matrix and Full Matrix.

Botnet Info

The botnet name and target IP address.

Files Operations

The file-related operations, includes Created/Deleted/Renamed/Modified/Set Attributes.

Registry Operations

The registry-related operations, includes Created/Deleted.

Memory Operations

The memory-related operations, includes Process Related/Process Created/Process Created and Injected/Written.

Network Operations

Users that are infected by this executable will notice HTTP connections with certain URL/IP addresses.

Click the Network Behaviors dropdown icon to view the network behavior of the file. This field may not be available for all file types.

For certain document files, if they contain malicious URLs, those URLs are displayed here. Users can select a URL to display its detailed information, like rating history and visit volume history.

Embedded urls

For PDFs, Office and HTML files, if the file contains embedded URLs or QR code, a maximum of three URLs and three QR codes can be scanned inside VM and listed here.

For more information on how to enable sandboxing embedded URL/QR code, see the FortiSandbox CLI Reference Guide.

Behaviors In Sequence

The executable file's behavior during execution, in time sequence.

Tracer/Rating Engine Version

The tracer/rating package version is displayed at the bottom of the job detail page and in the PDF Report.

Video Download Link

Download the video when the Record Video is enabled.