Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EstDef
New Contributor

FortiSandbox malicious jobs not sent to job archive

Hello,

 

i have racked my brain for a while now and cannot seem to find an answer. My problem is that in FortiSandbox  i have set up job archiving, so third parties can reanalyze and inspect files that have been deemed harmful. In Scan Policy & Object - Job Archive settings both Malicious and Suspicious files have been ticked. With Suspicious files(Log & Report - File Scan) it works like a charm. With Malicious files from the same page, the Malicious files are not sent to the Job Archive. But i would really need them to be delivered to the archive too.

Has anyone encountered the same problem and/or has a fix/workaround for me ?
Thanks in advance,

Dave

6 REPLIES 6
Anthony_E
Community Manager
Community Manager

Hello EstDef,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
EstDef
New Contributor

Thank you @Anthony_E . So far my own searches have also come up short. If i find anything out, i will also write it here but as it is today, still the malicious files are not archived. :(

Anthony_E
Community Manager
Community Manager

Hello,

 

Sorry about it :(.

 

we will find a solution I am sure.

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

HelloEstDef,

 

I hope you are good.

 

I have found this document:

 

https://community.fortinet.com/t5/Fortinet-Forum/FortiSandbox-malicious-jobs-not-sent-to-job-archive...

 

Could you please tell me if it helps?

 

If not, I will still look for a solution.

 

Regards,

 

 

Anthony-Fortinet Community Team.
EstDef

Good morning @Anthony_E 

The link you gave me to look at leads directly here, so its a perpetuous loop :)
So sadly i still have to say that it is not helping. But thanks for suggesting it

 

Best Regards,

EstDef

EstDef
New Contributor

Hey again!

 

I have made slight progress in refining the problem. The problem ONLY occurs when FortiSandbox uses its database to determine the attachement is Malicious. If you ORDER A RESCAN (force the attachement to a VM scan), then the archive function works.
Is there a way to force FortiSandbox database Malicious determined files into a VM scan automatically ?

 

EDIT! If i turn off prefiltering on filetypes, do they all go through a VM scan ? Meaning then they could all end up in that needed archive location too ? e.g i turn off executable prefilter, then ALL executables go through a VM scan ?

 

Thanks in advance,

EstDef

Labels
Top Kudoed Authors