Fortinet black logo

Troubleshooting undetected known malware

Copy Link
Copy Doc ID 609ceb0c-313f-11e9-94bf-00505692583a:184240
Download PDF

Troubleshooting undetected known malware

If a known malware is not detected, check the following:

  • Scan profile was changed. The malware might not be able to run in certain VMs.
  • A new AV/IPS signature, rating engine, tracer engine was installed.
  • Network condition was changed.
  • Port3 connection to Internet was modified.
  • New firmware was installed.
  • The malware execution condition was changed, such as down C&C, time bomb, etc.

The following are some troubleshooting methods:

  1. Check the logs to see if the Scan Profile was changed or a new signature was installed.
  2. Check logs for any manual overridden verdicts, white/black list, or YARA rule modifications. The Detailed Report shows how the file was rated.
  3. Run test-networks to see unit connection to FDN, especially if Web Filter service is down.
  4. Check port3 next hop gateway for the policy. The path should be clean.
  5. Try an On-Demand scan of the malware and use the VM Interaction and Scan video features.
  6. Compare a previous Detailed Report with a recent one.
  7. Contact Fortinet Support for possible rating/tracer engine bugs.
  8. Report to fsa_submit@fortinet.com for further investigation.

Troubleshooting undetected known malware

If a known malware is not detected, check the following:

  • Scan profile was changed. The malware might not be able to run in certain VMs.
  • A new AV/IPS signature, rating engine, tracer engine was installed.
  • Network condition was changed.
  • Port3 connection to Internet was modified.
  • New firmware was installed.
  • The malware execution condition was changed, such as down C&C, time bomb, etc.

The following are some troubleshooting methods:

  1. Check the logs to see if the Scan Profile was changed or a new signature was installed.
  2. Check logs for any manual overridden verdicts, white/black list, or YARA rule modifications. The Detailed Report shows how the file was rated.
  3. Run test-networks to see unit connection to FDN, especially if Web Filter service is down.
  4. Check port3 next hop gateway for the policy. The path should be clean.
  5. Try an On-Demand scan of the malware and use the VM Interaction and Scan video features.
  6. Compare a previous Detailed Report with a recent one.
  7. Contact Fortinet Support for possible rating/tracer engine bugs.
  8. Report to fsa_submit@fortinet.com for further investigation.