Scans

This section includes:

About Scans

The Scans page lets you see information about the scans that were performed by FortiMail Workspace Security.

  • If you select a parent organization, then the Scans page will show all scans that were performed in all child organizations.

  • If you select a child organization, then the Scans page will show the scans that were performed in the selected child organization only.

In addition, you can set various filters to include only specific scans in the displayed list.

To show the Scans page:

  • In FortiMail Workspace Security, in the left navigation menu, select Security Operations > Scans.

Any admin user with the "Member" role [or higher] can access the Scans page.

Views of the Scans page

The Scans page can show three levels of detail for each scan:

Summary

By default, the Scans page shows a list of scans, and a summary of each scan. Use the available controls to filter the list of scans shown, as described in Setting the scan filter below.

Scans-summary page

Preview or Expanded

You can click any scan in the summary list to expand the results to show additional details about the scan. This view lets you perform a quick incident review.

Scans-preview page

Detailed

You can click the Open Scan button [ or ], on the right of any set of scan results, to see comprehensive details about the scan. The detailed view is useful when you are investigating an incident - it enables you to perform a detailed forensic review of the scan. For details on the structure of the Scans-details page, see Scan details structure.

Scans-details page

Setting the scan filter

There are various ways that you can search and filter the scans that appear in the Scans-summary page. For details, see Filtering and searching scans.

Understanding the scan controls [Summary page]

Select one or more scans to display the available controls.

Download scans

Downloads metadata about the selected scan or the selected scans to your computer - in CSV format. You must select one or more scans before you can download them.

Note 1:

To download the actual email [.eml file] - and not just metadata about the email - open the scan and click the Download button. For details, see Download below.

Note 2:

The Download scans functionality and the Export scans functionality [see below] is the same except that:

  • Download scans: Downloads the scan information in a file.

  • Export scans: Exports the scan information to a file - which is then sent by email.

Note 3:

In the downloaded CSV files, all dates and times are in UTC format. This can't be changed. Times may therefore differ from the times that appear in the UI of the Scans page in FortiMail Workspace Security.

Note 4:

You can download a maximum of 5,000 scans at a time. If you try to download more than 5,000 scans, you may see a message similar to the following:

Workaround: If you need to download more than 5,000 scans, try to use the Date Range filter option [and/or any other filter options] to reduce the number of scans in the list to less than 5,000. For example, if there were 12,000 scans from January 2024 until March 2024, use the Date Range [Custom] filter option to first show the scans for January, then February, and then March - making sure to download less than 5,000 scans for each month.

See also: Advanced filters

Export scans

Exports metadata about the selected scan or the selected scans - in CSV format. You must select one or more scans before you can export them. The exported data will be contained in a file that is sent as an attachment to an email that is sent to your email address.

Note 1

The Export scans functionality and the Download scans functionality [see above] is the same except that:

  • Download scans: Downloads the scan information in a file.

  • Export scans: Exports the scan information to a file - which is then sent by email.

Note 2

In the exported CSV files, all dates and times are in UTC format. This can't be changed. Times may therefore differ from the times that appear in the UI of the Scans page.

Note 3

You can export a maximum of 5,000 scans at a time. If you try to export more than 5,000 scans, you may see a message similar to the following:

Workaround: If you need to export more than 5,000 scans, try to use the Date Range filter option [and/or any other filter options] to reduce the number of scans in the list to less than 5,000. For example, if there were 12,000 scans from January 2024 until March 2024, use the Date Range [Custom] filter option to first show the scans for January, then February, and then March - making sure to export less than 5,000 scans for each month.

See also: Advanced filters

Change verdict

Lets you change the verdict of the selected scan or of the selected scans.

  • For details on what happens to an email after the verdict is changed, see Changing Verdicts.

Resend Email

Resends the selected email or the selected emails.

Resending emails is typically performed on emails with failed deliveries.

  • The Resend Email option is available only if the Action that is associated with the scan is not Quarantined.

  • The Resend Email option is not available if the Action that is associated with the scan is Delivered.

    The Resend Email option is therefore not functional with the Microsoft 365 API integration method, where emails are scanned only after they’ve been delivered to the user’s mailbox.

  • The Resend Email option is available for only 24 hours after a scan is performed. After 24 hours, and email can't be resent.

  • The Resend Email option is available for email scans only - not for scans of any other channels.

To list scans for emails with failed deliveries, you can use an Advanced filter:

  1. In the Scans page, make sure to set the correct Date Range.

  2. Open the Advanced filters feature - by clicking the "Advanced Filters" icon [].

  3. Scroll down the list of filter options, and then under Action select Delivery Failed.

  4. Click "Apply Filters" to display the list of scans.

Release email

Releases the selected email or emails from quarantine.

The verdict of the email is not changed - if the verdict is Malicious, then the verdict will remain as Malicious.

Note: If you want to release the email AND change the verdict, use the Change Verdict functionality described above.

The Release email button is enabled only if:

  • All selected scans are for emails that are quarantined.

  • You have the "Admin" role in FortiMail Workspace Security.

Hint: Use the Action > Quarantined advanced filter to ensure that only quarantined emails are displayed. For details, see Advanced filters.

Note:

  • The Release email bulk action is limited to 1,000 items at one time.

  • Released emails should appear immediately in the user's Inbox.

  • An admin role of "Email Flow Manager" or higher is required in order to have permission to release emails from quarantine.

    An "Email Flow Manager" will be able to see only those scans that are currently quarantined.

Delete Email

Deletes the selected email or the selected emails from the recipient's mailbox - without changing the scan verdict.

Details about the deleted scans are not deleted from FortiMail Workspace Security. You can't delete a scan from FortiMail Workspace Security.

Note:

  • The email will be deleted from the recipient's mailbox even if the recipient has moved the email from the Inbox to a different folder in the mailbox.

  • If the recipient has already deleted the email, then the email will remain in the Deleted Items folder or the Trash folder.

  • The Action in the scan will be changed to Quarantined.

  • The Delete Email functionality is available only for Microsoft 365 [Inline and API] and Google Workspace integrations - not for Exchange and "Other" integrations.

  • The Delete Email functionality is available only if the FortiMail Workspace Security remediation app is enabled.

Filter by

Lets you set the filter for the scans that appear in the Scans-summary page. For details, see Filtering and searching scans.

Open scan

or

Opens the Scans-details page to show comprehensive details of the scan.

Understanding the scan controls [Details page]

When you open a scan to display details of the scan, the following controls are available:

Change verdict

Lets you change the verdict of the scan.

  • For details on what happens to an email after the verdict is changed, see Changing Verdicts.

Preview

Shows a preview of the email.

  • Previews are available for emails with malicious, spam, and restricted verdicts - not for emails with clean verdicts.

  • Previews are available for 180 days.

  • By default, previews are not available for emails with clean verdicts. However, after an admin requests an investigation of a clean email, a preview of the email will be available - for 48 hours after the scan was performed. After 48 hours, FortiMail Workspace Security will attempt to retrieve the eml file from the user's Inbox. If the email has already been deleted from the user's mailbox, then the retrieval will fail - and no preview will be available. For details about requesting an investigation, see Requesting an investigation.

    Note: There is initially no email preview available for clean emails because, without any indication of malicious activity, protecting users' privacy is prioritized - requiring the removal of the ability to view the contents or details of an email.

While you preview an email, you can click Download [] to download an eml file of the email.

Note: The downloaded file will have no extension - for security reasons [as the email may be malicious]. To open the file, add an eml extension to the filename.

Screenshots

Shows screenshots of the malicious URLs that are included in the email.

Scan History

Opens the Scan History pane that shows the history of all the changes that have been made to the scan verdict.

Delete Email

Deletes the email from the recipient's mailbox - without changing the scan verdict.

Details about the deleted scan are not deleted from FortiMail Workspace Security. You can't delete a scan from FortiMail Workspace Security.

Note:

  • The email will be deleted from the recipient's mailbox even if the recipient has moved the email from the Inbox to a different folder in the mailbox.

  • If the recipient has already deleted the email, then the email will remain in the Deleted Items folder or the Trash folder.

  • The Action in the scan will be changed to Quarantined.

  • The Delete Email functionality is available only for Microsoft 365 [Inline and API] and Google Workspace integrations - not for Exchange and "Other" integrations.

  • The Delete Email functionality is available only if the FortiMail Workspace Security remediation app is enabled.

Similar scans

Lists similar scans.

Download

Downloads the email or file to your Downloads folder. This may be useful if you want to do further analysis of the email or file. The email or file will be downloaded with a .danger extension appended to it. You can remove the .danger extension - to be left with a .eml file [for emails] that you'll be able to open.

Note:

  • Make sure to open malicious emails in a safe environment, such as a virtual machine.

  • You can't download emails or files that have a clean verdict.

  • The downloaded file will include all attachments to the email.

You can download an attachment to an email. To do so:

  1. Open the required scan in the Scans page - using the Compact view. []

  2. Scroll down to the Links and Attachments section.

  3. Locate and select the required attachment, and then click the Download icon [].

Resend Email

Resends the email.

Resending emails is typically performed on emails with failed deliveries.

  • The Resend Email option is available only if the Action that is associated with the scan is not Quarantined.

  • The Resend Email option is not available if the Action that is associated with the scan is Delivered.

    The Resend Email option is therefore not functional with the Microsoft 365 API integration method, where emails are scanned only after they’ve been delivered to the user’s mailbox.

  • The Resend Email option is available for only 24 hours after a scan is performed. After 24 hours, and email can't be resent.

  • The Resend Email option is available for email scans only - not for scans of any other channels.

To list scans for emails with failed deliveries, you can use an Advanced filter:

  1. In the Scans page, make sure to set the correct Date Range.

  2. Open the Advanced filters feature - by clicking the "Advanced Filters" icon [].

  3. Scroll down the list of filter options, and then under Action select Delivery Failed.

  4. Click "Apply Filters" to display the list of scans.

Add to Allowlist

Allows you to add the sender's email address to an allowlist.

For details, see Allowlists.

Add to Block list

Allows you to add the sender's email address to a block list.

For details, see Blocklists.

Highlighted

The FortiMail Workspace Security IR Team can configure FortiMail Workspace Security to automatically add the Highlighted tag to the results of a scan. When the Highlighted tag is added, a detection-specific banner is typically added at the top of the scan results. This banner provides a brief description of a significant detection in the scan.

The Highlighted tag and associated banner are typically added because the FortiMail Workspace Security IR Team wants to emphasize specific malicious behavior that was detected in the scan - usually related to an important attack-type.

Note: The "highlighted" banner appears in the Detailed scan view only - not in the Compact view - of the Scans page.

In the Scans-summary view, the Highlighted icon [light-bulb] appears on the left of the scan entry - to indicate that the scan has been highlighted.

The Highlighted filter control [] appears at the top of the Scans page - under Importance. This filter control enables you to filter [show] only those scans that have been highlighted.

Note:

  • The Highlighted tag is typically added to scans with malicious verdicts - but can be applied to a scan with any verdict.

  • It is possible for admin users to add the Highlighted tag to any scan. This is typically done to mark the scan for easy location and retrieval later on, using the Highlighted filter control [] .

Request Investigation

Sends a request to the FortiMail Workspace Security IR Team to investigate the scan. For details, see Requesting an investigation.

Release email

Releases the email from quarantine.

The verdict of the email is not changed - if the verdict is Malicious, then the verdict will remain as Malicious.

Note: If you want to release the email AND change the verdict, use the Change Verdict functionality described above.

The Release email button is enabled only if:

  • All selected scans are for emails that are quarantined.

  • You have the "Admin" role in FortiMail Workspace Security.

Hint: Use the Action > Quarantined advanced filter to ensure that only quarantined emails are displayed. For details, see Advanced filters.

Note:

  • The Release email bulk action is limited to 1,000 items at one time.

  • Released emails should appear immediately in the user's Inbox.

  • An admin role of "Email Flow Manager" or higher is required in order to have permission to release emails from quarantine.

    An "Email Flow Manager" will be able to see only those scans that are currently quarantined.

GPThreat Hunter Summary

When you analyze a malicious scan in the Scans page, you can generate an "easy-to-read" AI-based summary of the significant factors that contributed to the scan verdict. Locate "GPThreat Hunter Summary" in the Scans page, and then click Generate Summary. GPThreat Hunter will almost-instantaneously generate an easy-to-read summary of the scan verdict.

Note: This functionality is available only for email scans that have a malicious verdict.

Performing bulk actions

In the Scans-summary page, it is possible to perform some of the available actions simultaneously on multiple scans. These actions are called bulk actions. The controls for the bulk functions are all grouped together - and appear when at least one scan is selected. The bulk actions that can be performed are shown below:

 

Control

Limitations...

1

Download scans

  • Limited to a maximum of 5,000 items at one time.

2

Export scans

  • Limited to a maximum of 5,000 items at one time.

3

Change verdicts

 

4

Resend emails

  • Limited to a maximum of 1,000 items at one time.

  • Available for only 24 hours after a scan is performed.

5

Release emails

  • Limited to a maximum of 1,000 items at one time.

  • Available only if all selected scans are for emails that are quarantined.

6

Rescan

This option may not be available.

7

Delete emails

 

Note:

Some bulk-action options may not be available if any of the selected scans are for emails that are:

  • Quarantined

  • Delivered

No bulk actions can be performed on any emails that were "Quarantined by Microsoft".

For details on the bulk actions, see Understanding the scan controls [Summary page] above.

To perform a bulk action:

  1. Open the Scans-summary page.

  2. Filter the scans that are shown. The Advanced Filter may be helpful. For details, see Advanced filters.

  3. Select the required scans.

  4. Click the appropriate bulk-action button to perform the required action.

Getting the URL of the scan

When you are performing troubleshooting actions with FortiMail Workspace Security Support, they may ask you to send the scan URL.

To get the scan URL:

  1. In FortiMail Workspace Security, open the Security Operations > Scans page.

  2. Locate scans for which the scan URL is required.

  3. Click the Open Scan button [ or ] on the right of the scan results - to show details of the scan.

    The URL that appears in the browser is the scan URL.

Exporting the scan list

You can export [or download] the list of scans that are displayed in the Scans page. The exported list will be in a .csv file, and will include metadata about the emails.

Note: In the downloaded CSV files, all dates and times are in UTC format. This can't be changed. Times may therefore differ from the times that appear in the UI of the Scans page in FortiMail Workspace Security.

To export the scans list:

  1. In FortiMail Workspace Security, open the Security Operations > Scans page.

  2. Use the available filter controls to display a list of the required scans. For filtering details, see Filtering and searching scans.

  3. Select the Select all scans check box in the top-left of the scans list.

  4. Click either the Export button or the Download "bulk action" button. For details, see Performing bulk actions above.

See also: