Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tannu86
New Contributor II

Hi, I keep receiving emails with this warning (about 300 a day). I checked but there is nothing out

Hi, I keep receiving emails with this warning (about 300 a day).
I checked but there is nothing out of the ordinary.
Do you have experience on how to fix?


The message satisfies the warning condition

Virus/worm detected: ; Protocol: IMAPS; E-mail address from: ************** ; E-mail address to: ************** t ; VIRUS REFERRAL URL:

date=28-12-2022 time=09:55:53 devname=FG ************** devid=FGT *************** eventtime = 1672217753527378557 tz="+0100" logid="0203008200" type="utm" subtype="virus" eventtype="filetype-executable" level="warning" vd="root" policyid=17 poluuid="b6a200f8-826b- 51eb -3027-b96cfdbc33ef" policytype="policy" msg="The file is an executable." action="blocked" service="IMAPS" sessionsid=7101423 srcip=192.168.0.107 dstip=62.149.152.153 srcport=54463 dstport=993 srccountry="Reserved" dstcountry="Italy" srcintf="internal" srcintfrole="lan" dstintf ="wan1" dstintfrole="wan" srcuuid="dd5ff6ee-7d26-51ec-caf0-bb8630bb31c9"************* " a=" *********** ** @ ************* .t " recipient=" \" ************* @ ************ * t\ "" analyticscksum="edaf79c158ca5110d00afab222e935dc776239e0f70bc6df2c8f4d8aa81d8307" analyticssubmit="false" crscore=10 craction=2 crlevel ="medium"

1 Solution
ede_pfau
Esteemed Contributor III

I don't know why you were checking on the EMS - IMHO this is originating from a Fortigate security profile (AV). In the AV profile, there is a setting like described. From the log message, you are using this AV profile in policy 17.AV treat EXE as virus.jpg

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
6 REPLIES 6
dsrivastava
Staff
Staff

This event is getting generated when hitting the policy ID 17, and action as blocked.
Firewall detected the HASH of the file as virus from fortiguard so it blocked it.
I could see it as proper alert and firewall is blocking it. Make sure, IPS, AV and file filter profiles are enabled in this specific policy.

ede_pfau
Esteemed Contributor III

No, this has nothing to do with the policy, or "action=DENY". (hint: "blocked" is not the same as "deny").

 

I think this is caused by a setting in your AV profile. It's called "Block executable as attachment as malware" (or the like). This is a security setting where any program attached to an email is regarded as potentially dangerous, and thus blocked.

 

I personally never use this setting, as the most dangerous attachments are Javascripts or embedded scripts in PDF files. YMMV.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Tannu86
New Contributor II

Hi ,
I checked on the EMS and I disabled the email file scan on the "Malware Detection" profile.
At the moment they no longer arrive, I will keep the situation under control, I don't know if I have solved it.
A thousand thanks

Tannu86
New Contributor II

Unfortunately, they keep coming to these alerts.

ede_pfau
Esteemed Contributor III

I don't know why you were checking on the EMS - IMHO this is originating from a Fortigate security profile (AV). In the AV profile, there is a setting like described. From the log message, you are using this AV profile in policy 17.AV treat EXE as virus.jpg

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Tannu86
New Contributor II

Hi, I checked policy 17 but the AV profile is already configured as well as your screen.
Uninstalling AV Forticlient on pc (192.168.0.x) and unregistering from EMS I no longer get the warning.
I reinstalled Forticlient on my PC and now everything works fine and I don't get anything anymore.
I do not know if I was clear.
anyway thanks a lot for your help.
Regards

Top Kudoed Authors