What is heuristic scanning ?

What is heuristic scanning?

Heuristic scanning is a method of identifying unwanted email - for viruses and spam. FortiGate and FortiMail use heuristic scanning.


Heuristic scanning is a technique used to catch viruses. While traditional signature-based systems rely on predefined virus signatures to catch viruses, heuristics looks at the construction of files for characteristics commonly found in viruses. As a file is examined, the virus-like attributes are totalled.  If a threshold in the number of virus-like attributes  is passed the file is marked as 'suspicious.' Heuristic scanning only examines Microsoft Windows executable files (Windows Portable Executable files), typically ending with an 'exe' extension.

The default settings of FortiGate units have heuristics virus scanning enabled, but suspicious files are allowed to pass because of the possibility of false positives. Using CLI commands, you can disable heuristics entirely, or set suspicious files to be blocked or passed. Files marked as suspicious can be quarantined, and even automatically uploaded to the FortiGuard Center for analysis, depending on settings. For detailed information, see the config antivirus heuristic and config antivirus quarantine commands in the FortiGate CLI Reference.


Heuristic filtering in FortiMail uses a scoring technique based on predetermined terms and words. The rules are broken down into five categories: header, body, raw body, URI, and metadata. Each rule has an individual score used to calculate the total score for an email. To determine if an email is spam, the heuristic filter looks at an email message and adds the score for each rule that applies to get a total score for that email. If the total is greater than or equal to the upper threshold, the mail is classified as spam and processed accordingly. See the FortiMail Administration Guide and FortiMail Install Guide for more information.

See also

  • How do I enable heuristic scanning?
  • How do I configure heuristic scanning?
  • FortiMail heuristic scanning threshold setting
Related Articles
Configuring the heuristic scan threshold
How do I enable heuristic scanning?
How do I configure heuristic scanning?
Explanation of "virus=unknown" log message
Last Modified Date: 10-07-2009 Document ID: 11008