Chapter 13 Logging and Reporting : Logging and reporting overview : Log messages : Viewing log messages and archives : Quarantine
  
Quarantine
Within the Log & Report menu, you can view detailed information about each quarantined file. The information can either be sorted or filtered, depending on what you want to view.
You must enable quarantine settings within an antivirus profile and the destination must be configured in the CLI using the config antivirus quarantine command. The destination can be either a FortiAnalyzer unit or local disk.
Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific status or from a specific service.
On Log & Report > Quarantine, the file quarantine list displays the following information about each quarantined file.
 
Quarantine page
Lists all files that are considered quarantined by the unit. On this page you can filter information so that only specific files are displayed on the page.
 
GUI Item
Description
Source
Either FortiAnalyzer or Local disk, depending where you configure to quarantined files to be stored.
Sort by
Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate Count. Select Apply to complete the sort.
Filter
Filter the list. Choose either Status (infected, blocked, or heuristics) or Service (IMAP, POP3, SMTP, FTP, HTTP, MM1, MM3, MM4, MM7, IM, or NNTP). Select Apply to complete the filtering. Heuristics mode is configurable through the CLI only.
If your unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see the Security Features chapter of the FortiOS Handbook.
Apply
Select to apply the sorting and filtering selections to the list of quarantined files.
Delete
Select to delete the selected files.
Page Controls
Use the controls to page through the list.
Remove All Entries
Removes all quarantined files from the local hard disk.
This icon only appears when the files are quarantined to the hard disk.
File Name
The file name of the quarantined file. When a file is quarantined, all spaces are removed from the file name, and a 32-bit checksum is performed on the file. The checksum appears in the replacement message but not in the quarantined file. The file is stored on the Fortinet hard disk with the following naming convention:
<32bit_CRC>.<processed_filename>
For example, a file named Over Size.exe is stored as 3fc155d2.oversize.exe.
Date
The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if duplicates are quarantined.
Service
The service from which the file was quarantined (HTTP, FTP, IMAP, POP3, SMTP, MM1, MM3, MM4, MM7, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).
Status
The reason the file was quarantined: infected, heuristics, or blocked.
Status Description
Specific information related to the status, for example, “File is infected with “W32/Klez.h”” or “File was stopped by file block pattern.”
DC
Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL
Time to live in the format hh:mm. When the TTL elapses, the Fortinet unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a FortiAnalyzer unit.
Upload status
Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded.
This option is available only if the Fortinet unit has a local hard disk.
Download
Select to download the corresponding file in its original format.
This option is available only if the Fortinet unit has a local hard disk.
Submit
Select to upload a suspicious file to Fortinet for analysis.
This option is available only if the Fortinet unit has a local hard disk.