FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 197915
Article

What is heuristic scanning?

Heuristic scanning is a method of identifying unwanted email - for viruses and spam. FortiGate and FortiMail use heuristic scanning.

FortiGate

Heuristic scanning is a technique used to catch viruses. While traditional signature-based systems rely on predefined virus signatures to catch viruses, heuristics looks at the construction of files for characteristics commonly found in viruses. As a file is examined, the virus-like attributes are totalled.  If a threshold in the number of virus-like attributes  is passed the file is marked as 'suspicious.' Heuristic scanning only examines Microsoft Windows executable files (Windows Portable Executable files), typically ending with an 'exe' extension.

The default settings of FortiGate units have heuristics virus scanning enabled, but suspicious files are allowed to pass because of the possibility of false positives. Using CLI commands, you can disable heuristics entirely, or set suspicious files to be blocked or passed. Files marked as suspicious can be quarantined, and even automatically uploaded to the FortiGuard Center for analysis, depending on settings. For detailed information, see the config antivirus heuristic and config antivirus quarantine commands in the FortiGate CLI Reference.

FortiMail

Heuristic filtering in FortiMail uses a scoring technique based on predetermined terms and words. The rules are broken down into five categories: header, body, raw body, URI, and metadata. Each rule has an individual score used to calculate the total score for an email. To determine if an email is spam, the heuristic filter looks at an email message and adds the score for each rule that applies to get a total score for that email. If the total is greater than or equal to the upper threshold, the mail is classified as spam and processed accordingly. See the FortiMail Administration Guide and FortiMail Install Guide for more information.

See also

  • How do I enable heuristic scanning?
  • How do I configure heuristic scanning?
  • FortiMail heuristic scanning threshold setting

Related Articles

How do I enable heuristic scanning?

How do I configure heuristic scanning?

Explanation of "virus=unknown" log message