Submitting a Suspect File to FortiGuard Team
If you would like to send a suspect file to Fortinet, but you're not sure how to isolate a sample or compress/encrypt it for safe transfer over email, this page may be of interest to you.
Sending a file you suspect of being a virus - 'as-is' - over email is not a good idea, not even if the file is innocently sent to an antivirus research lab. Indeed, sending viruses across email is not a good idea in general, but security professionals have developed procedures designed to safely and efficiently handle the task.
The following instructions allow an individual to create an archive of a sample, ensuring that is has been encrypted and compressed. When combined and properly used, encryption and compression ensure that a sample safely and efficiently travels from your clean computer to our antivirus researchers.
The instructions assume that you have already won the battle of isolating the suspect file(s). It assumes that you are working from a clean computer capable of sending email with attachments.
Please note that Fortinet accepts, and is able to readily decompress .RAR and .ZIP file compression formats. Sending samples compressed in a scantly known file format may cause difficulties in gaining access to the suspect sample(s).
The programs RAR, WinRAR , PKZIP or WinZip can create compressed and encrypted archive files with great ease and efficiency. We hope that you find the following instructions on how to create a password-protected compressed .ZIP or .RAR file helpful.
WinRAR is a widely available commercial product. A trial version is generally available at http://www.rarlabs.com.
This following instructions assume that you have WinRAR installed. For our example, we use the trial version of WinRAR v2.90, but other Windows-based versions of WinRAR are similar in options, appearance, etc.
The following instructions assume that you are able to create a WinRAR archive by right clicking on a file when in Windows Explorer.
- Step 1: Open Windows Explorer.
- Step 2: Navigate to the folder in which your suspect file resides.
- Step 3: In the right hand panel of Windows Explorer, right-click once on the suspect file.
- Step 4: click 'Add to archive'.
NOTE: There may exist another WinRAR-related option to create an archive of the same filename. Do not select this option. It will create a non-password protected (unencrypted) file.
Clicking 'Add to archive' brings up the WinRAR GUI. Leaving everything at its default setting is recommended in this step, however, it is on this first page where you may choose a different file name for your archive, choose to compress in the .ZIP format (vs. .RAR), etc.
- Step 5: Change to Advanced option page by clicking on the 'Advanced' tab.
- Step 6: Assuming you are using a like version of WinRAR, from the advanced page, you should see a button/option that says "Set password". Clicking this button:
- Step 7: Once you arrive at the password entry dialog box, type in the password. When sending samples to Fortinet, please use the password: "infected" (don't add the quotes). Verify the password by retyping it, and then click OK.
Finding yourself back at the Advanced tab, click the OK button.
This completes the exercise of compressing a suspect file into a password protected RAR archive. If you chose to name the archive (as suggested by WinRAR) the same name as the file you were compressing, Explorer should now show two files of the same name, one with the extension of ".RAR".
You are now ready to attach the newly created archive WinRAR (.RAR) archive to an email.
Please send the .RAR file attachment, along with your FortiGate unit serial number (included as part of the body of the message) to:
Note: Fortinet customers need to include their FortiGate unit serial number in the body of the email in order to get a status reply from the lab. If a serial number is not provided, Fortinet researchers will process the sample based on its urgency, but will be unable to update the customer directly.
The following instructions assume that you have received a suspicious email with an even more suspicious attachment. You don't want to actually open the email for fear the attachment may somehow launch, but you want to at least save it.
In the following example, we use Microsoft Outlook 2002. The following instructions also apply very closely to earlier versions of Microsoft Outlook and Microsoft Outlook Express.
- Step 1: Right click the email in the inbox. You will see a pop-out menu appear. Ignore it.
- Step 2: From the pop-down menu at the top of the Outlook application, click "File". Keep the mouse pointer on the pop-down menu after clicking; the complete File pop-down menu will appear momentarily.
- Step 3: From the File pop-down menu, hover over "Save Attachments...". A submenu of all attachments associated with the email message will appear momentarily.
- Step 4: Select one or more attachments to save.
- Step 5: If you suspect the file is a virus, please feel free to submit it to Fortinet, Inc.