Description
The intent of this article is to assist administrators with locating Outbreak Prevention-specific AntiVirus logs based on what is reported in the Advanced Threat Prevention (ATP) Statistics widget.
As a reference, the Advanced Threat Prevention (ATP) Statistics widget on the FortiGate Dashboard shows a summary of results for AntiVirus scans, including:
- The number of scanned files
- How many were malicious/suspicious/clean
- How many files were detected using external services, such as the FortiGuard Outbreak Prevention service, External Malware Block Lists, and EMS Threat Feeds.
As of FortiOS 7.2.0 and earlier, the ATP Statistics widget does not directly link to corresponding AntiVirus logs, so an administrator must search the event logs manually for the related Outbreak Prevention logs.
Scope
FortiOS 7.2 and earlier.
Solution
First, AntiVirus-specific logs can be found in the following locations in the FortiOS Web UI :
- FortiOS 7.2: Log & Report -> Security Events -> AntiVirus.
- FortiOS 7.0 and earlier: Log & Report -> AntiVirus.
The following are a list of useful Log Fields and known-associated values that can be used with the log filter to assist an administrator in locating Outbreak Prevention-related AntiVirus logs :
- Event Type ('eventtype'): outbreak-prevention.
- Log ID ('logid'): 0204008202.
- Detection Type ('dtype'): outbreak-prevention.
- Message ('msg'): Blocked by Virus Outbreak Prevention service.
Further information on Outbreak Prevention-related log entries can be found here :
- 8202 - MESGID_AVQUERY_WARNING
For reference, the following is a sample of an Outbreak Prevention log in the GUI, as well as the same entry in the CLI/text log format :
As a final note, keep the following in mind when checking for AntiVirus logs:
- The ATP Statistics Widget is updated as the AntiVirus processes on the FortiGate scan files; it does not appear to use existing logs when generating these statistics.
- This can result in potential inconsistencies between the event count presented by the ATP Statistics widget vs. the actual number of log entries if the log facility being checked (i.e. FortiGate Cloud, FortiAnalyzer, Disk, etc.,) has deleted/overwritten old logs due to storage space and/or logging volume constraints.
Related articles:
Technical Tip: Displaying logs via FortiGate's CLI
FortiOS 6.2 Cookbook - FortiGuard outbreak prevention for antivirus
FortiOS 7.0 Administration Guide - FortiGuard outbreak prevention
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.