We have observed malicious call back from one source IP ( 172.26.100.66 ), which was blocked by Fortinet Firewall under the category of Virus. Please check & clarify with Fortinet Firewall Team, whether the detection is false negative or false positive , because we have plan to create one use case. As per the raw log, The subjected source is trying to resolve with the below domain via Fortinet and DC Cyberoaum Firewall ( Destination IP is Firewall IP – WAN ) The file was not yet quarantined. File also reached uncompressed size limit. please have a look on it. Please deploy the AV Scan on urgent basis and share the risk level report from AV Team, since it was observed in CBS Zone. Kindly share the complete internet traffic route of CBS Zone. If any of the WAN traffics from CBS , it’s going via Cyberoaum Firewall , how we can detect if any call-backs happened ? Please validate the same and do the needful .  File Name : avengine64.zip  URL : hxxp{:}//update.nai.com/Products/CommonUpdater/Current/LV2SNENG1000/Engine/0000/avengine64{.}zip  Hash : ABE7D75139C637946C1B4867968ADDDD80676026CB8226C48560783FBAC28309" Raw Log : date=2020-07-29 time=01:13:23 devname="IOBCOREFW001" devid="FG1K5D3I17800031" logid="0262008960" type="utm" subtype="virus" eventtype="scanerror" level="warning" vd="root" eventtime=1595965403 msg="File reached uncompressed size limit." action="blocked" service="HTTP" sessionid=12313720 srcip=172.26.100.66 dstip=172.16.90.80 srcport=55709 dstport=80 srcintf="VLAN_1001" srcintfrole="undefined" dstintf="port1" dstintfrole="wan" policyid=473 proto=6 direction="incoming" filename="avengine64.zip" quarskip="File-was-not-quarantined." url="http://update.nai.com/Products/CommonUpdater/Current/LV2SNENG1000/Engine/0000/avengine64.zip?hash=AB..." profile="default" agent="McAfee" analyticscksum="abe7d75139c637946c1b4867968adddd80676026cb8226c48560783fbac