Skip to main content
x_member
x_member
New Member
October 30, 2015
Question

FortiCloud Sandbox - Cannot see details of "High Risk" files, alert emails not received

  • October 30, 2015
  • 1 reply
  • 11083 views

In the recently upgraded Forticloud portal under the Sandbox tab I can see 4 files over the past week classified as 'High Risk' (they show as 'Malicious' in the FortiSandbox console on the appliance).

When I go to view their details, on the portal they are blank, and I can find no way of actually establishing what files they were.

Each of the 4 files have an associated 'Email Sent Time' entry on the Portal. None of these emails were received (checked in Spam and mail server queues) and I can see no indication that they have ever really been sent.

The files concerned are part of expected FTP traffic overnight generated by a scheduled task to perform a backup of our live websites (msdeploy, 7zip). This task has been in place over 5 months and runs daily, however only 4 high risk alerts (2 blocks of 2 4 days apart) have been raised in the past 31 days

 

How do I establish which files these are (and why they are being classified as malicious) through the Sandbox?

Surely there is some way of determining which files are (occasionally) tripping the Sandbox malicious file detection.

I'd rather not have to diff the source and destination..

 

    1 reply

    x_member
    x_memberAuthor
    New Member
    November 2, 2015

    So this morning I checked Forticloud and the 4 entries in the Sandbox now have an additional symbol to link to the detected virus.

    For each of these entries, the link takes me to http://www.fortiguard.com/encyclopedia/virus/0 with the message "Encyclopedia entry id incorrect". The Info page linked from the other icon remains blank on file details for all entries.

     

    Guess I'll have to raise a ticket to find out what's happening here.

     

    hfreel
    hfreel
    New Member
    November 17, 2015

    I am having similar issues with forticloud sandbox. On the daily reports I can see that some files were suspicious, but I have no way of telling what machine they ended up on. Searching through the logs is cumbersome. I am not sure what value this service brings me at all. 

    x_member
    x_memberAuthor
    New Member
    November 17, 2015

    hfreel wrote:

    I am having similar issues with forticloud sandbox. On the daily reports I can see that some files were suspicious, but I have no way of telling what machine they ended up on. Searching through the logs is cumbersome. I am not sure what value this service brings me at all. 

    I'm still trying to progress a ticket on this at the moment - it's stuck in limbo between TAC and the FortiCloud team but I'm trying to move it forward. These are business critical backups that are apparently having files plucked out at random (despite the AV policy not having the 'send files for inspection' option checked).

    Can I ask:

    Do you get provided with any of the details about the sandboxed files (File / User Name)?

    Do you receive email alerts (if sent)?

    Are you provided with a valid link to the threat encyclopedia?

     

     

    At the moment we have zero trust in this process and the sandbox continues to randomly pick 1 or 2 files out of the traffic on a completely random schedule although the files are largely static in content and characteristics and are FTP'd as a backup on a nightly basis.

    Terms & ConditionsAccessibility statement