Search Malware Logs - dtype=Virus

Search for virus-type malware detections in AntiVirus logs.

✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.

Overview

This example shows how to search virus/malware logs specifically for detections classified as “Virus” type - useful for:

• Monitoring traditional virus detections

• Investigating file-based virus infections

• Tracking virus spread patterns across network

• Security incident response for virus outbreaks

• Compliance reporting on virus threats

This operation uses the two-step asynchronous pattern. See the LogView Search Overview for complete workflow details.

Endpoint Details

Method: POST URL: /jsonrpc API Path (Step 1): /logview/adom/{adom}/logsearch API Path (Step 2): /logview/adom/{adom}/logsearch/{tid}

Step 1: Submit Search Request

Key Parameters

Parameter	Type	Required	Description
adom	string	Yes	ADOM name (e.g., “root”)
logtype	string	Yes	Must be "virus" for malware logs
filter	string	Yes	Must include dtype="Virus"
time-range	object	Yes	Time range for search

Filter Examples

Basic Virus Detection:

dtype="Virus"

By Virus Name:

dtype="Virus" and virus contains "trojan"

Blocked Viruses:

dtype="Virus" and action=blocked

By User:

dtype="Virus" and user=jdoe

REQUEST

{
    "method": "add",
    "params": [{
        "url": "/logview/adom/root/logsearch",
        "data": {
            "logtype": "virus",
            "filter": "dtype=\"Virus\"",
            "time-range": {
                "start": "2025-11-09 00:00:00",
                "end": "2025-11-09 23:59:59"
            }
        }
    }],
    "session": "{{session_id}}",
    "id": 1
}

RESPONSE

{
    "result": [{
        "data": {
            "tid": 12348
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Step 2: Fetch Results

REQUEST

{
    "method": "get",
    "params": [{
        "url": "/logview/adom/root/logsearch/12348",
        "data": {
            "limit": 100,
            "offset": 0
        }
    }],
    "session": "{{session_id}}",
    "id": 2
}

RESPONSE

{
    "result": [{
        "data": {
            "tid": 12348,
            "status": "done",
            "percentage": 100,
            "total_lines": 32,
            "logs": [
                {
                    "date": "2025-11-09",
                    "time": "13:27:45",
                    "devname": "FGT-01",
                    "dtype": "Virus",
                    "srcip": "10.0.1.75",
                    "virus": "W32/Generic.Trojan",
                    "action": "blocked",
                    "filename": "malicious.exe",
                    "profile": "default"
                }
            ]
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Complete Python Example

import requests
import urllib3
import time

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def search_virus_detections(session_id, adom, time_range, additional_filter=None):
    """
    Search for virus-type malware detections

    Args:
        session_id: Active session ID
        adom: ADOM name
        time_range: Time range dict
        additional_filter: Optional additional filter criteria

    Returns:
        list: Virus detection log entries
    """
    url = "https://faz.example.com/jsonrpc"

    filter_expr = 'dtype="Virus"'
    if additional_filter:
        filter_expr += f" and {additional_filter}"

    # Step 1: Submit search
    payload = {
        "method": "add",
        "params": [{
            "url": f"/logview/adom/{adom}/logsearch",
            "data": {
                "logtype": "virus",
                "filter": filter_expr,
                "time-range": time_range
            }
        }],
        "session": session_id,
        "id": 1
    }

    response = requests.post(url, json=payload, verify=False)
    result = response.json()

    if result['result'][0]['status']['code'] != 0:
        raise Exception(f"Search failed: {result['result'][0]['status']['message']}")

    tid = result['result'][0]['data']['tid']
    print(f"✓ Virus search submitted. TID: {tid}")

    # Step 2: Poll and fetch
    while True:
        payload = {
            "method": "get",
            "params": [{
                "url": f"/logview/adom/{adom}/logsearch/{tid}"
            }],
            "session": session_id,
            "id": 2
        }

        response = requests.post(url, json=payload, verify=False)
        data = response.json()['result'][0]['data']

        if data['status'] == 'done' and data['percentage'] == 100:
            print(f"✓ Found {data['total_lines']} virus detections")
            return data.get('logs', [])

        print(f"  Status: {data['percentage']}%")
        time.sleep(2)

# Example usage
logs = search_virus_detections(
    session_id="your_session_id",
    adom="root",
    time_range={"last-n-hours": 24}
)

for log in logs[:5]:
    print(f"{log['time']} | {log['srcip']} | Virus: {log['virus']} | Action: {log['action']}")

Use Cases

Monitor All Virus Detections

logs = search_virus_detections(
    session_id=session,
    adom="root",
    time_range={"last-n-hours": 24}
)

Investigate Specific Virus Family

logs = search_virus_detections(
    session_id=session,
    adom="root",
    time_range={"last-n-hours": 48},
    additional_filter='virus contains "trojan"'
)

Related Endpoints

• LogView Search Overview - Complete workflow guide

• Search Malware - Outbreak - Outbreak prevention logs

• Search Attack Logs - IPS attack logs

---

Last Updated: 2025-11-09 API Version: 7.6.4+