What is heuristic scanning?
Heuristic scanning is a method of identifying unwanted email - for viruses and spam. FortiGate and FortiMail use heuristic scanning.
Heuristic scanning is a technique used to catch viruses. While traditional signature-based systems rely on predefined virus signatures to catch viruses, heuristics looks at the construction of files for characteristics commonly found in viruses. As a file is examined, the virus-like attributes are totalled. If a threshold in the number of virus-like attributes is passed the file is marked as 'suspicious.' Heuristic scanning only examines Microsoft Windows executable files (Windows Portable Executable files), typically ending with an 'exe' extension.
The default settings of FortiGate units have heuristics virus scanning enabled, but suspicious files are allowed to pass because of the possibility of false positives. Using CLI commands, you can disable heuristics entirely, or set suspicious files to be blocked or passed. Files marked as suspicious can be quarantined, and even automatically uploaded to the FortiGuard Center for analysis, depending on settings. For detailed information, see the
Heuristic filtering in FortiMail uses a scoring technique based on predetermined terms and words. The rules are broken down into five categories: header, body, raw body, URI, and metadata. Each rule has an individual score used to calculate the total score for an email. To determine if an email is spam, the heuristic filter looks at an email message and adds the score for each rule that applies to get a total score for that email. If the total is greater than or equal to the upper threshold, the mail is classified as spam and processed accordingly. See the FortiMail Administration Guide and FortiMail Install Guide for more information.