Appendix B- Job Details page reference
When you click any job, a View Job Details icon will appear. When you click the icon, a new browser tab opens showing detailed forensic information for the job. The information is displayed in three tabs: Overview, Behavior and Threat Intelligence.
The Job Detail page header shows the virus name and file type. The icons at the right-side of the page allow you to connect to FortiGuard Encyclopedia Analysis, Mark the job, Virus Total, Export job detail page to PDF and Download Original File.
|
Item |
Description |
||
|---|---|---|---|
|
Rating |
Rating verdict. |
||
|
File type |
File type, for example, exe. |
||
|
Virus Name |
Name of the virus. |
||
|
FortiGuard Encyclopedia Analysis |
Select to view the FortiGuard Encyclopedia analysis of the file if the file has a Malicious rating. This page provides analysis details, detection information, and recommended actions. |
||
|
Mark the job |
Select to mark the file as clean (false positive) or suspicious (false negative). This field is dependent on the file risk type. Enable Submit feedback to cloud to submit job information to the community cloud. The default value is the same as Scan Profile > Advanced > Contribute detected suspicious files to FortiSandbox Community Cloud. You can choose to submit the file for analysis only, without marking it as clean or suspicious. After a file's verdict is overridden:
|
||
|
Virus Total |
Click the Virus Total link to open https://www.virustotal.com in a new page. Only a limited number of queries per minute is allowed with the Virus Total website. |
||
|
Export Job Details to Page |
Export the job details to a PDF report. |
||
|
Download Original File |
Download the password protected original file (.zip format) to your management computer for further analysis. The default password for this file is fortisandbox. To change the password, go to System >Settings > Set customized password for original files.
|
|
In a cluster environment, only the primary node has the authority to mark a job as false positive or false negative and to download the original file. |
Overview tab
The Overview tab is divided into two sections: Basic Information and Analysis over time.
- Basic Information includes the file name, file type, input source etc, and job settings which record the scan conditions such as VM scan timeout, tracing and the rating engine version.
- Analysis over time is organized by scan sequence. It shows the start time, followed by static analysis and dynamic analysis if either of them are involved, then shows the final rating as well as the end time.
If an IOC subscription is ordered, a Summary will be displayed. This summary provides a brief overview of the findings and checks conducted by FortiSandbox, along with additional recommendations. Please be aware it may take a few moments for the Summary content to display after the Job Detail is opened.
|
|
In a cluster environment, each scan node must have its own IOC subscription (purchased separately). When a job is opened on the primary node, it will verify whether the scan unit has the subscription. If the subscription is not present, the summary will not be displayed. |
Basic Information
The Basic Information section shows the following information:
| Job ID | The ID that identifies the job. | ||
| Filename | The filename of the scanned file job | ||
| Submit Type | The input source of the file such as on demand, FortiMail etc. | ||
| Received | The date and time the job was received by FortiSandbox. | ||
| Status | The status of the scan. Status: Done, Canceled, Skipped, and Timed Out. | ||
| Scan Unit | The FortiSandbox unit which scanned the job. | ||
| Submitted Filename | The submitted filename, for example, the submitted archive file name. | ||
| File Type | The file type of the file job. | ||
| File Size | The size of the file job. | ||
| Submitted By | The user who submitted the scan. | ||
| URL | The address of the scanned URL job | ||
| Original URL | The original submitted address could be the hierarchy of file job if it is inside archive file. | ||
| Password Protected | For PDF and Office files only, shows whether the file is password protected and successfully extracted or not | ||
| URL and Payloads | For Submitted URL that has payloads, this field displays a color-coded rating for URL and its payloads. | ||
| Archive Files |
For archive files and its children, this field displays a color-coded rating for the parent archive file and each child, so that you can quickly identify different ratings for each child.
|
||
|
Original Job |
Click the link to view the original job if this is an AV rescan or On-Demand rescan job. |
||
|
Job settings |
|||
|
Scan Bypass |
When available, the scan bypass configuration will be displayed. |
||
|
Specified Browsers |
The VM name along with its browser setting. |
||
|
Pipeline mode OS |
The VM launched in pipeline mode. |
||
|
VM Interaction |
When Interaction mode is enabled before jobs are submitted, VM Interaction displays ON. When Interaction is disabled, VM Interaction is not displayed in the Overview page. |
||
|
Video Record |
When Record Video is enabled, Video Record displays ON. When Record Video is disabled, Video Record is not displayed. |
||
|
Real-time Zero-Day Anti-Phishing Prefilter Version |
Real-time Zero-Day Anti-Phishing Prefilter Version if Real-time Zero-Day Anti-Phishing was used. |
||
| AI Engine and Model |
AI Engine and Model version if this AI technique is applied for the job. |
||
| Tracer Package Version |
Tracer Package Version used for the job. |
||
| Rating Package Version |
Rating Package Version used for the job. |
||
Analysis over time
Analysis over time shows the information of analysis during scan flow:
|
Item |
Description |
||||||
|---|---|---|---|---|---|---|---|
|
Scan Start Time |
The date and time the scan started and the time zone. |
||||||
|
Static Analysis |
|||||||
|
Digital Signature |
The digital signature availability status of the scanned file. |
||||||
|
URL Category |
The URL category if URL detected. |
||||||
|
Embedded URL |
The number of embedded URLs scanned. |
||||||
|
Indicator |
The key indicator of job behavior with severity, description and attack technique. |
||||||
|
Dynamic Analysis |
|||||||
|
VM Start Time |
The start time of VM if VM scan is involved. |
||||||
|
VM up Time |
The time VM scan used. |
||||||
|
VM End Time |
The time when VM scan finished. |
||||||
|
Launched OS |
The VM that was launched to scan the job. |
||||||
|
Launched Browsers |
The VM and its launched browser if involved in the scan. |
||||||
|
Anti Evasion Triggers |
The VM that triggered by Anti Evasion. |
||||||
|
Indicator |
The key indicator of the job behavior with severity, description and attack technique . |
||||||
|
Rating |
|||||||
|
Rating |
The rating is the final verdict of the FortiSandbox on the scan job based on the collected behavioral activities and static analysis. The assessment of their risk and impact is based on our FortiGuard Threat Intelligence of previously-known malware. Ratings include Malware, High risk, Medium risk, Low risk, Clean and Unknown. |
||||||
|
Rated By |
The source of the rating decision. The following are the sources by scan module:
The module names have been changed since v4.2.0. If you require the previous module names for mapping, please contact Customer Support. |
||||||
|
Total Scan Time |
The total scan time spent. |
||||||
|
Real-Time Zero-Day Anti-Phishing Verdict |
If the sample is a URL and scanned by the Real-time Zero-Day Anti-Phishing Server, the Real-time Zero-Day Anti-Phishing Verdict will be shown and Phishing URL Target will also be displayed on the Job Details page. A download button and a question mark will appear after the Real-time Zero-Day Anti-Phishing Verdict when there is a screenshot available to download and more detailed information from the Real-time Zero-Day Anti-Phishing server is returned.
|
||||||
|
End |
|||||||
|
Scan End Time |
The time when entire scan finished |
||||||
Behavior tab
The Behavior tab shows information for the Static scan and VM scan results. Select the VM or static scan from the dropdown at the top-left of the page to view a detailed analysis of the scan.
|
|
This page may not be displayed if there is no information from either the Static scan or the VM scan. |
Details
The Details section shows:
| Item | Description |
|---|---|
| Behavior Info |
View the file's behavior over time and its density during its execution.
If a file scan is scanned with more than one VM type, the VM tab will dynamically switch to the chart for that type. If the file hits any imported YARA rule, a YARA tab will appear with detailed information. including:
|
| Indicators |
A summary of behavior indicators, if available. When detailed information is available, a corresponding icon is displayed. Clicking the icon will link to the specific operation details.For some operations, such as File Operations, you can download files in a password protected ZIP format. |
|
Files Operations |
The file-related operations, includes Created/Deleted/Renamed/Modified/Set Attributes. For some file operations, you can download files in a password protected ZIP format. |
|
Registry Operations |
The registry-related operations, includes Created/Deleted. |
|
Memory Operations |
The memory-related operations, iincludes Written, Process created and Injected, Process Created, Process Related. |
|
Network Operations |
When any network operations are detected during a VM scan, the target URL/IP addresses, along with their category and rating, will be displayed. |
|
Embedded urls |
For PDFs, Office and HTML files, if the file contains embedded URLs or QR code, a maximum of three URLs and three QR codes can be scanned inside VM and listed here. For more information on how to enable sandboxing embedded URL/QR code, see the FortiSandbox CLI Reference Guide. |
|
PCAP Information |
The packet data captured. |
|
Botnet Info |
The botnet name and target IP address.
|
|
Traffic Signature |
Displays the signatures of industrial application network traffic that are detected. Click the name to go to its FortiGuard page. |
| IPS Signature |
Displays IPS signatures that are detected, the signatures are displayed. Click the name to go to its FortiGuard page. |
| Behaviors In Sequence |
The executable file's behavior during execution, in time sequence. |
Tree View
The Tree View section will show a tree for the file's static structure or file's parent-child process relationship when it executes inside a guest VM. You can drag the tree with your mouse and zoom in or out using the mouse wheel. If there is suspicious activity with one tree node, its label will be colored red. Clicking a node in the tree will open more information in tab format. Suspicious information is shown in red, so you can quickly locate it.
When selecting any operation in the Details section, you can click View it on Tree, then the specific operation will be shown in Tree View with a highlighted red color to indicate its location. However, you cannot jump from the Tree View section directly to Detail section.
|
|
By default, Analysis over time and Tree View only show relative important indicators and icons. To show all detail debugging information, please enable in job details pageShow debugging process in System > Settings. |
Screenshots
The Screenshots section will display thumbnail of screenshots if there are any. To enlarge the image, hover over the thumbnail.
Download
The Download section contains buttons for download options.
| Index | Description |
|---|---|
| Captured Packets |
Select the Captured Packets button to download the tracer PCAP file to your management computer. The packet capture (PCAP) file contains network traffic initiated by the file. You must have a network protocol analyzer installed on your management computer to view this file. The Captured Packets button is not available for all file types. |
| Tracer Package |
Download
the compressed .zip file containing the tracer
log and related files. The password protected /backup folder in the
tracer log contains information about the program’s execution. The default
password for this file is When downloading the tracer package for an executable file within an archive, the downloaded package will include the parent archive file. |
|
Tracer Log |
A text file containing detailed information collected inside the Sandbox VM. |
| STIX IOC | Download the IOC in STIX2 format. |
| Screenshot | Download screenshot images when the file was running in the sandbox. This image is not always available. |
| Video Download Link |
Download the video when the Record Video is enabled. |
|
|
The downloaded Tracer Package and Screenshot contain sensitive data and are saved in a password protected zip file. The password for accessing these files is |
Threat Intelligence tab
The Threat Intelligence tab shows Key Highlights, Threat Enrichment via FortiGuard IOC, Threat IOC Table and ATT&CK Matrix.
|
|
|
Key Highlights
This section summarizes key findings from the FortiSandbox analysis, along with explanations and recommendations.
Threat Enrichment via FortiGuard IOC
This indicator displays the FortiGuard live rating and its associated confidence level.
Threat IOC Table
This table lists all identified threats, including MD5 hashes or URLs detected during the analysis.
ATT&CK Matrix
The ATT&CK Matrix presents a combination of MITRE attack techniques if multiple MITRE tactics were detected across different VMs. It displays the malware's techniques and tactics based on MITRE ATT&CK Version 11. A simplified version with relevant information is shown. Clicking on any detection opens a pop-up window with the technique code, description, and rating. For more details on specific techniques, you can click the technique code to visit the MITRE website at MITRE Mapping.