Created on 12-11-2019 02:54 AM Edited on 11-25-2021 04:13 AM By Anthony_E
Description
In reports generated by FortiAnalyzer, some URLs are obfuscated such that the period or dot “.” and colon ":" are replaced with the words [dot] and/or [colon] respectively.
This article explains why this happens..
Useful link:
Fortinet Documentation:
How to generate data reports in FortiAnalyzer: https://docs.fortinet.com/document/fortianalyzer/6.2.0/administration-guide/136416/reports
Scope
Solution
This behavior is by design.
In certain scenarios, a PDF reader will activate URLs found in the report, and as such any malicious or threat bearing URLs shown in a report would become active hyperlinks and potentially lead users towards a website that had been blocked.
While this behavior does not happen by default, (FortiAnalyzer does not activate hyperlink URLs in the report), enabling ‘Databinding Format as URL’ in the PDF reader or simply having an URL start with ‘www’ does inadvertently result in URL text becoming an active hyperlink in the PDF reader.
To mitigate this behavior, when a threat report where blocked or malicious URLs are shown, the reports have been altered to replace the period or “.” dot character in the URL, with [dot] and ":" with [colon]
For instance, 'http://www.malware.com' is replaced as 'http[colon]//www[dot]malware[dot]com'.
Below is an example of such behavior in a report file.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.