Verdicts

This section includes:

About verdicts

Each scan that is performed by FortiMail Workspace Security on any item, is assigned a verdict by FortiMail Workspace Security. For a list of possible verdicts, see Verdict types below. The verdict determines what happens with the scanned item. For example, an item may be quarantined based on the verdict. For details on how to specify if an item should be quarantined - based on the verdict - see Quarantine.

If you think that the verdict that has been assigned to a scan is not correct, you can:

Verdict types

The following verdicts can be assigned to a scan:

Verdict

Description

Can be quarantined?

Incident?

Malicious

[]

The scan indicates that the item is malicious. Malicious items are typically quarantined [if the integrated service supports this functionality].

  • For 180 days, metadata and full eml details of malicious emails are available in FortiMail Workspace Security - even if the email is not quarantined.

  • After 180 days, no information about the scan is available in FortiMail Workspace Security.

  • From 180 days until 365 days, metadata and full eml details of the scan are available internally to Perception Point only - not in FortiMail Workspace Security.

The 180-day and 365-day periods can't be changed.

Note: If the scan verdict is changed to clean, then the retention period is based on the new clean verdict.

Yes

For details, see Which verdicts cause quarantine

Yes

Spam

[]

The scan indicates that the email is spam. Depending on the settings that have been configured for your organization, the email will be:

  • quarantined [if the integrated service supports this functionality] [See Which verdicts cause quarantine]

    - or -

  • [Microsoft 365 API integrations] sent to the "Spam" or "Junk" folder, or the Inbox of the original recipient. [See Configuring spam remediation]

    [All non-Microsoft 365 API integrations] sent to the "Spam" or "Junk" folder of the original recipient.

For details about end-users releasing quarantined emails that have a spam verdict, see Configuring Digest reports.

[False positives - Microsoft 365] When spam emails are sent to the "Spam" or "Junk" folders, users can move any of these "spam" emails to their Inboxes, and mark the sender as safe, locally in their email systems. Future emails from this sender will then go to the Inbox and not to the "Spam" or "Junk" folders.

The primary classifications of spam are:

  • Webinar invitations

  • Unsolicited product offers

  • Advertisements

  • Newsletters

--------------------------------------------------------------------------------------

  • For 180 days, metadata and full eml details of spam emails are available in FortiMail Workspace Security - even if the email is not quarantined.

  • After 180 days, no information about the scan is available in FortiMail Workspace Security.

  • From 180 days until 365 days, metadata and full eml details of the scan are available internally to Perception Point only - not in FortiMail Workspace Security.

The 180-day and 365-day periods can't be changed.

Note: If the scan verdict is changed to clean, then the retention period is based on the new clean verdict.

Restricted

[]

The scan detected a file of a type that is included in the list of restricted file types - according to your organization policy. This could include files such as .exe or .docx files.

You can configure FortiMail Workspace Security to quarantine restricted files, or emails that include restricted files. For details see Quarantine.

For details on how to view or manage your set of restricted file types, see Restricted file types.

Note:

  • Password-protected files that FortiMail Workspace Security is unable to scan can also result in a restricted verdict. For details, see Scanning password-protected attachments.

  • Emails that are blocked by custom block list entries may also be assigned a restricted verdict. For more details, see Custom blocklists.

  • For 180 days, metadata and full eml details of restricted emails are available in FortiMail Workspace Security - even if the email is not quarantined.

  • After 180 days, no information about the scan is available in FortiMail Workspace Security.

  • From 180 days until 365 days, metadata and full eml details of the scan are available internally to Perception Point only - not in FortiMail Workspace Security.

The 180-day and 365-day periods can't be changed.

Note: If the scan verdict is changed to clean, then the retention period is based on the new clean verdict.

Suspicious

[]

The scan is suspicious. The scan detected characteristics that are potentially harmful or indicative of malicious intent, but not conclusively so. Therefore the scan is not necessarily malicious, but it warrants further investigation by the FortiMail Workspace Security IR Team.

Note: The suspicious verdict is primarily for internal use by Perception Point. The suspicious verdict is assigned very seldom.

The suspicious verdict can be assigned manually by the FortiMail Workspace Security IR Team, and it can also be automatically assigned by FortiMail Workspace Security.

  • Suspicious scans are treated the same as clean scans - they are delivered to the recipient's Inbox.

  • Suspicious emails can't be quarantined.

The data retention policy for Suspicious scans is the same as the data retention policy for Clean scans. See below

No

No

Clean

[]

If nothing suspicious is detected during a scan, the item is assigned a "clean" verdict.

Clean emails are sent to the Inbox of the recipient.

By default:

  • For 48 hours, metadata and full eml details of clean emails are available in FortiMail Workspace Security.

    Note that if the delivery of an email fails [that is, the Action is set to Delivery failed], then the metadata and full eml details will be retained for 180 days.

  • After 48 hours until 180 days, only metadata about the scan is available in FortiMail Workspace Security - full eml details of the scan are not available in FortiMail Workspace Security.

    Information about the scan still appears in the Scans page in FortiMail Workspace Security - but full details of the email are no longer available. The FortiMail Workspace Security IR Team will no longer be able to conduct an in-depth investigation of the email.

  • From 180 days until 365 days, metadata about the scan is available internally to Perception Point only - not in FortiMail Workspace Security.

The 180-day and 365-day periods can't be changed.

No

No

Note:

  • Not all the above verdict types are available for all channels - some channels may use just a few of the above verdict types.

  • All data is saved in the Perception Point AWS servers - the specific server that is used depends on the environment of your organization.

Email delivery options

Depending on the verdict that is assigned to the scan of an email, the email will be delivered to a specified destination. The destination for each verdict can be configured. The diagram below shows the available destinations and the default destinations for each verdict.

* For details on how to configure which verdicts will cause emails to be quarantined, see Which verdicts cause quarantine

** For details on how to set this destination, see Configuring spam remediation.

See also: