| Description | How to view a security event file in VirusTotal to obtain additional information and reputation. |
| Scope | FortiEDR Manager 6.2+. |
| Solution |
In FortiEDR versions >6.2, a button was available via Event Viewer's "ADVANCED DATA" tab which allowed users open the file hash in VirusTotal to obtain additional information on the file including reputation scoring from other security vendors. In version 6.2+ of FortiEDR Manager this has changed with the addition of Investigation View. In order to open a files hash in VirusTotal, a user needs to perform the following steps:
1) Open the Security event in Event Viewer.
2) Select 'Investigation View' from the "ADVANCED DATA" tab at the bottom of the screen. This will open a new tab in the browser.
3) Select the file or process which was blocked. In the screenshot below, we would select "powershell.exe". This will open a tab to the right hand side of the screen providing more details.
4) Scroll down to the file hash section and from the list of MD5, SHA-1 and SHA-256, hover the mouse over it and click on the VirusTotal icon. This will open a new tab in VirusTotal.
Note: Investigation view heavily relies on Threat Hunting data collection, including the use case for open files in VirusTotal. If no Threat Hunting data was collected or was since deleted, this option will not be available. |
