Hi, I keep receiving emails with this warning (about 300 a day).
I checked but there is nothing out of the ordinary.
Do you have experience on how to fix?
The message satisfies the warning condition
Virus/worm detected: ; Protocol: IMAPS; E-mail address from: ************** ; E-mail address to: ************** t ; VIRUS REFERRAL URL:
date=28-12-2022 time=09:55:53 devname=FG ************** devid=FGT *************** eventtime = 1672217753527378557 tz="+0100" logid="0203008200" type="utm" subtype="virus" eventtype="filetype-executable" level="warning" vd="root" policyid=17 poluuid="b6a200f8-826b- 51eb -3027-b96cfdbc33ef" policytype="policy" msg="The file is an executable." action="blocked" service="IMAPS" sessionsid=7101423 srcip=192.168.0.107 dstip=62.149.152.153 srcport=54463 dstport=993 srccountry="Reserved" dstcountry="Italy" srcintf="internal" srcintfrole="lan" dstintf ="wan1" dstintfrole="wan" srcuuid="dd5ff6ee-7d26-51ec-caf0-bb8630bb31c9"************* " a=" *********** ** @ ************* .t " recipient=" \" ************* @ ************ * t\ "" analyticscksum="edaf79c158ca5110d00afab222e935dc776239e0f70bc6df2c8f4d8aa81d8307" analyticssubmit="false" crscore=10 craction=2 crlevel ="medium"
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't know why you were checking on the EMS - IMHO this is originating from a Fortigate security profile (AV). In the AV profile, there is a setting like described. From the log message, you are using this AV profile in policy 17.
This event is getting generated when hitting the policy ID 17, and action as blocked.
Firewall detected the HASH of the file as virus from fortiguard so it blocked it.
I could see it as proper alert and firewall is blocking it. Make sure, IPS, AV and file filter profiles are enabled in this specific policy.
No, this has nothing to do with the policy, or "action=DENY". (hint: "blocked" is not the same as "deny").
I think this is caused by a setting in your AV profile. It's called "Block executable as attachment as malware" (or the like). This is a security setting where any program attached to an email is regarded as potentially dangerous, and thus blocked.
I personally never use this setting, as the most dangerous attachments are Javascripts or embedded scripts in PDF files. YMMV.
Hi ,
I checked on the EMS and I disabled the email file scan on the "Malware Detection" profile.
At the moment they no longer arrive, I will keep the situation under control, I don't know if I have solved it.
A thousand thanks
Unfortunately, they keep coming to these alerts.
I don't know why you were checking on the EMS - IMHO this is originating from a Fortigate security profile (AV). In the AV profile, there is a setting like described. From the log message, you are using this AV profile in policy 17.
Hi, I checked policy 17 but the AV profile is already configured as well as your screen.
Uninstalling AV Forticlient on pc (192.168.0.x) and unregistering from EMS I no longer get the warning.
I reinstalled Forticlient on my PC and now everything works fine and I don't get anything anymore.
I do not know if I was clear.
anyway thanks a lot for your help.
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.