FortiCloud Sandbox - Cannot see details of "High Risk" files, alert emails not received

x_member · ‎10-30-2015

In the recently upgraded Forticloud portal under the Sandbox tab I can see 4 files over the past week classified as 'High Risk' (they show as 'Malicious' in the FortiSandbox console on the appliance).

When I go to view their details, on the portal they are blank, and I can find no way of actually establishing what files they were.

Each of the 4 files have an associated 'Email Sent Time' entry on the Portal. None of these emails were received (checked in Spam and mail server queues) and I can see no indication that they have ever really been sent.

The files concerned are part of expected FTP traffic overnight generated by a scheduled task to perform a backup of our live websites (msdeploy, 7zip). This task has been in place over 5 months and runs daily, however only 4 high risk alerts (2 blocks of 2 4 days apart) have been raised in the past 31 days

How do I establish which files these are (and why they are being classified as malicious) through the Sandbox?

Surely there is some way of determining which files are (occasionally) tripping the Sandbox malicious file detection.

I'd rather not have to diff the source and destination..

x_member · ‎11-02-2015

So this morning I checked Forticloud and the 4 entries in the Sandbox now have an additional symbol to link to the detected virus.

For each of these entries, the link takes me to http://www.fortiguard.com/encyclopedia/virus/0 with the message "Encyclopedia entry id incorrect". The Info page linked from the other icon remains blank on file details for all entries.

Guess I'll have to raise a ticket to find out what's happening here.

hfreel · ‎11-17-2015

I am having similar issues with forticloud sandbox. On the daily reports I can see that some files were suspicious, but I have no way of telling what machine they ended up on. Searching through the logs is cumbersome. I am not sure what value this service brings me at all.

x_member · ‎11-17-2015

hfreel wrote:
I am having similar issues with forticloud sandbox. On the daily reports I can see that some files were suspicious, but I have no way of telling what machine they ended up on. Searching through the logs is cumbersome. I am not sure what value this service brings me at all.

I'm still trying to progress a ticket on this at the moment - it's stuck in limbo between TAC and the FortiCloud team but I'm trying to move it forward. These are business critical backups that are apparently having files plucked out at random (despite the AV policy not having the 'send files for inspection' option checked).

Can I ask:

Do you get provided with any of the details about the sandboxed files (File / User Name)?

Do you receive email alerts (if sent)?

Are you provided with a valid link to the threat encyclopedia?

At the moment we have zero trust in this process and the sandbox continues to randomly pick 1 or 2 files out of the traffic on a completely random schedule although the files are largely static in content and characteristics and are FTP'd as a backup on a nightly basis.

hfreel · ‎11-17-2015

I did not get email alerts. That is not working. I can see that on Oct 17, out of 380 files, 3 are listed as malicious. The filter function only allows me to filter based on what I am able to click on the analysis field and since these logs are so far back I cannot find a Malicious file to filter on. So at this point just locating the bad file in the logs is almost impossible. Unless you know a way of doing it... I'd be happy to try anything.

hfreel · ‎11-17-2015

A little more digging and it appears I got the same as you. I was able to filter on date and then scroll through pages and pages until I found a Malicious status. I clicked on the icon and got the same as you. "Encyclopedia entry id incorrect"

x_member · ‎11-17-2015

hfreel wrote:
A little more digging and it appears I got the same as you. I was able to filter on date and then scroll through pages and pages until I found a Malicious status. I clicked on the icon and got the same as you. "Encyclopedia entry id incorrect"

Thanks for responding - at least neither of us is alone in this. I was expecting a callback from TAC management about my ticket which I'll be chasing up tomorrow. As soon as I have anything concrete I'll post back.

hfreel · ‎11-17-2015

Good luck. Let me know how you make out.

x_member · ‎11-20-2015

I've had an initial response from the FortiCloud team via TAC management that this is a known issue and will be fixed in a FortiCloud update.

I'm just trying to clarify that the update will address all areas of concern and be cloud side only (i.e. no FortiOS update required). I'll post back when I'm updated.

x_member · ‎11-25-2015

I've been assured that this is a cloud-side only update.

However, I cannot get a firm answer regarding the 'Alert Emails' that were apparently sent.

I've asked repeatedly whether they were actually sent and (if so) where they were sent to; we've definitely not received them on any of our email addresses and they're not in our spam queue.

I'm hoping that the email issue is also a cloud side one, but will continue to press for a firm answer.