Versions Compared

Version Old Version 1 New Version Current
Changes made by

Svetlana Sheptiy

Karein Directo (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Records virus attacks.

Sample Events

date=2020-03-29 time=16:51:27 logid=0201009233 type=utm subtype=virus level=notice devid=FGXXXXXXXXXX vd=root msg="File submitted to Sandbox." action=analytics service=HTTP srcip=1.1.1.1 dstip=2.2.2.2 srcport=51779 dstport=80 sessionid=2013193656 direction=incoming filename=file.exe quarskip=No-skip url=https://dl.google.com/release2/JYM2KPQ8t30/file.exe profile=AV-Profile agent=Mozilla/5.0 proto=6 eventtype=analytics analyticscksum=52b0dda51113acec993dbbb40a2ff7f1024d0fc998de2d61d6b479ffe26d9be4 analyticssubmit=true policyid=510 srcintf=portXX dstintf=portXX devname=HA_Perimetral

date=2020-05-22 time=15:30:29 devname="PSA-OR-FTGW001" devid="FGVM4VTM20001228" logid="0201009238" type="utm" subtype="virus" eventtype="analytics" level="notice" vd="root" eventtime=1590132630730688566 tz="+0800" srcip=1.1.1.1 dstip=2.2.2.2 srcport=23456 dstport=20 action="monitored" service="http" filename="test-fsa.exe" fsaverdict="malicious" analyticscksum="47fd6cadce503e53ad2c543eb728ae2d017277afb3db6b16954e49ac1cf4cc20" dtype="fortisandbox"

date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical" content-disarm: 05 command-blocked: 06 malware-list: 07

date=2018-07-30 time=13:59:41 logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" eventtime=1532984381 msg="Blocked by local malwarelist." action="blocked" service="HTTP" sessionid=174963 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37045 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="mhash_block.com" checksum=" 90f0cb57" quarskip="No-skip" virus="mhash_block.com" dtype="File Hash" filehash="93bdd30bd381b018b9d1b89e8e6d8753" filehashsrc="test_list" url="http://172.16.67.148/mhash_block.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false"

date=2019-05-13 time=11:45:03 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1557773103767393505 msg="File is infected." action="blocked" service="HTTP" sessionid=359260 srcip=10.1.100.11 dstip=172.16.200.55 srcport=60446 dstport=80 srcintf="port12" srcintfrole="undefined" dstintf="port11" dstintfrole="undefined" policyid=4 proto=6 direction="incoming" filename="eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="http://172.16.200.55/virus/eicar.com" profile="g-default" agent="curl/7.47.0" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

date=2020-05-22 time=15:30:29 devname="PSA-OR-FTGW001" devid="FGVM4VTM20001228" logid="0212008448" type="utm" subtype="virus" eventtype="filename" level="warning" vd="root" eventtime=1590132630730420619 tz="+0800" policyid=1 msg="File is blocked." action="passthrough" service="MM1" sessionid=10003 srcip=1.1.1.1 dstip=2.2.2.2 srcport=10003 dstport=20 srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 vrf=32 direction="incoming" filefilter="file-pattern" filetype="ignored" filename="file_test" checksum="12345" quarskip="No-quarantine-for-HTTP-GET-file-pattern-block." user="user" group="group" crscore=5 craction=2 crlevel="low"

date=2014-05-14 time=06:34:20 devname=JLL_FW devid=FG200B3910602686 logid=0213008705 type=utm subtype=virus eventtype=oversize level=notice vd="root" msg="Size limit is exceeded." status="passthrough" service="http" srcip=192.168.100.74 dstip=206.111.1.82 srcport=3935 dstport=80 srcintf="port1" dstintf="port2" policyid=75 identidx=3 sessionid=2727880 url="http://r7---sn-mv-hp5e.c.pack.google.com/edgedl/chrome/win/A9D81880A47854C4/34.0.1847.137_chrome_installer.exe?cms_redirect=yes&expire" profiletype="Protocol_Options_Profile" profile="Protocol" user="CAROLINAM" agent="Google"

date=2015-08-05 time=12:57:09 devname=StL devid=FWF90D3Z13001081 logid=0262008961 type=utm subtype=virus eventtype=scanerror level=notice vd="root" msg="File reached uncompressed size limit." action=passthrough service=HTTP sessionid=26150331 srcip=192.168.123.177 dstip=69.164.20.141 srcport=51586 dstport=80 srcintf="internal" proto=6 direction=incoming filename="mpas-fe_d6fd08cef83c1b4a54c75c3fa873afc2f7e30fc1.exe" quarskip=No-skip url="http://0005a8-1.l.windowsupdate.com/llnhost_au.download.windowsupdate.com/d/[...]/mpas-fe_d6fd08cef83c1b4a54c75c3fa873afc2f7e30fc1.exe" profile="default" user="" agent="Microsoft" analyticscksum="bfc1c907f87eadaac226113105ed9d5deb45857211cc36d3337caca8d20d119a" analyticssubmit=false crscore=50 crlevel=critical

Fields

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

FortiGateAntivirus

CRITICALITY

LOGID  

Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry

TYPE  

Represented by the first two digits of the log ID

SUBTYPE  

Represented by the first/second two digits of the log ID

EVENTTYPE  

Represented by the second two digits of the log ID

DEVNAME  

DEVID  

Serial number of the device for the traffic's origin

LEVEL  

Security level rating

VD  

Name of the virtual domain in which the log message was recorded

EVENTTIME  

Epoch time the log was triggered by FortiGate

TZ

ACTION

The security action performed by Antivirus

SERVICE

Proxy service which scanned this traffic

SESSIONID

Session ID

SRCIP

Source IP address

DSTIP

Destination IP address

SRCPORT

Source port

DSTPORT

Destination port

SRCINTF

Source Interface

DSTINTF

Destination interface

SRCINTFROLE

DSTINTFROLE

POLICYID

Policy ID

PROTO

Protocol number

VRF

DIRECTION

Message/packets direction

FILEFILTER

The filter used to identify the affected file

FILETYPE

File type

FILENAME

File name

CHECKSUM

The checksum of the scanned file

FSAVERDICT

QUARSKIP

Quarantine skip explanation

USER

Username (authentication)

GROUP

Groupname (authentication)

VIRUS

Virus name

DTYPE

Data type for virus category

REF

The URL of the FortiGuard IPS database entry for the attack

VIRUSID

Virus ID (unique virus identifier)

FILEHASH

FILEHASHSRC

URL

The url address

PROFILE

The name of the profile that was used to detect and take action

PROFILETYPE

AGENT

User agent - eg. agent="Mozilla/5.0"

ANALYTICSCKSUM

The checksum of the file submitted for analytics

ANALYTICSSUBMIT

The flag for analytics submission

CRSCORE

Client Reputation Score

CRACTION

CRLEVEL

Client Reputation Level

MSG

Log message

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference