Help
FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
opetr_FTNT
Staff
Staff

Created on ‎03-17-2015 05:59 AM Edited on ‎04-18-2025 12:34 AM By Community Manager

Article Id 195987

Troubleshooting Tip: Virus passes through FortiMail

Description

 

This article describes how to proceed in cases where a virus has apparently passed through a FortiMail unit undetected, while an Eicar test file (Download Eicar) is detected correctly.

This problem could happen in the case where the signature for the virus that passed was not yet included in the Fortinet AV database, or where the most recent AV definition files have not been updated on the FortiMail.
 
Scope
 
FortiMail.


Solution

 

  1. Get the infected file.
  2. Use the FortiGuard Center web portal to verify whether the virus is present in the latest antivirus database.
  • If the file is reported as clean, it means that FortiGuard does not yet have a signature for it. It is possible to submit the file directly to the Fortinet antivirus team on the same web page. Note that the file will not be detected until the database is updated by the Fortinet antivirus team.

SS1.png

 

  •  If the file is reported as infected, the next step is to check the version of the antivirus database that is installed on the FortiMail.

SS2.png

 

  1. Take the 'Virus' option from the FortiGuard Center web portal (Antivirus Service) and make a note of the latest antivirus database version. For example, 92.06558.

 

SS4.png

 

  1. Verify that the latest database is installed on FortiMail.

SS3.png

 

  1. If the unit does not have the latest definition, it can be downloaded by using the 'Update Now' button. It may take a few minutes to update the database, depending on the network speed.

SS5.png


CLI Configuration:
The same check can be performed through the CLI:

FML#diagnose autoupdate versions

System Time:  2024-08-14 16:56:22 CEST (Uptime: 0d 1h 23m)

AV Engine

---------

Version: 6.00297

Contract Expiry Date: Mon Feb 17 01:00:00 2025

Last Updated using manual update on Wed Jan 31 20:24:00 2024

Last Update Attempt: Wed Aug 14 16:05:27 2024

Result: No Updates

 

Virus Definitions:

 

---------

Version: 92.06558     <-----

Contract Expiry Date: Mon Feb 17 01:00:00 2025

Last Updated using scheduled update on Wed Aug 14 16:05:27 2024

Last Update Attempt: Wed Aug 14 16:05:27 2024

Result: Updates Installed

 

---------

 

To update the databases, run:


-update only AV databases
FortiMail #execute update av

 

KB edit 1.PNG

 

Or:

-update all databases
FortiMail #execute update now 

KB edit 1.PNG

 

Once the databases are up-to-date (and the FortiGuard Centre web portal page confirms that the file can be detected), the infected file should no longer pass. This can be verified by re-sending the infected file through FortiMail.

If the problem persists, create a support ticket and attach the following files:
  • Configuration backup.
  • The output of 'diag autoupdate versions'.
  • The infected file.
  • A cross-search result for the mail that should be blocked by an Antivirus check. The steps to do this are explained in the FortiMail Admin Guide in the section 'Cross-searching log messages'.
3375
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.