Antivirus

Antivirus scanning techniques 

• Antivirus scanning 

  • Detects and removes malware in real-time 

  • Can stop malicious threats from spreading 

  • Preserves the client reputation of the public IP address 

• Grayware scanning 

  • Use grayware signatures to identify any unwanted programs that are installed on a system 

  • Detects and block unsolicited programs 

  • Antivirus actions are applied if a grayware is detection 

• Machine Learning (ML) scan 

  • This is enabled by default

  • Uses ML training models from FortiGuard 

  • Uses malware detection model to detect Windows Portable Executables (PEs) 

  • Used to mitigate zero-day attacks 

Sandboxing 

• FortiSandbox is used to identify zero-day attacks 

• The suspicious file is uploaded and executed within FortiSandbox for deeper analysis. 

• The FortiGate device uploads the suspicious files to the FortiSandbox Cloud or a local FortiSandbox appliance. 

• The FortiSandbox Cloud must be activated on a FortiCloud account. 

• The FortiGate can be configured to receive a signature database from the FortiSandBox Cloud or FortiSandbox appliance. 

• On the FortiGate, go to Security Fabric > Fabric Connectors. 

• To ensure the FortiSandbox cloud option on CLI, use the set gui-fortigate-cloud-sandbox enable command. 

• The Antivirus Security Profile must be configured to send files to the FortiSandbox for futher inspection. 

• Go to, Security Profile > Antivirus > enable 'Use FortiSandbox database' 

• You can also choose what files are uploaded to the FortiSandbox. 

• Performs inline scanning when proxy-based inspection is used. 

 Antivirus signature database 

• Requires an active FortiGuard Antivirus subscription 

• Go to, System > FortiGuard > under FortiGuard Updates 

• Extended database – common and recent non-active malware. Available on all FortiGate devices. 

• Extreme database – includes the extended database and additional dormant viruses. Available on selected FortiGate devices. 

 FortiGuard Protection Services 

• Go to, Security Profiles > Antivirus > view the options under 'Content Disarm and Reconstruction' and 'Virus Outbreak Prevention'. 

• The 'Content Disarm and Reconstruction' section removes exploitable content and replace it with that's known to be safe. 

• The 'Virus Outbreak Prevention' section enables you to use FortiGuard outbreak prevention database. 

 AntiVirus scanning modes 

• Flow-based inspection mode 

  • The suspicious file cache for inspection and forwards the file to the destination 

  • When the last packet is received by the FortiGate, it sends the packet to the AV engine reassemble and analysis. 

  • Packets are not delayed, except the last packet to the destination. 

  • If a threat is detected, the last packet is dropped and the connection is reset. 

  • This inspection mode provide low-latency 

• Proxy-based inspection mode 

  • This inspection mode uses the extended and extreme antivirus database 

  • The FortiGate will store the ensure file and the antivirus starts scanning after the end of the file is detected (all packets are received). 

  • The packets are only sent to the destination after the scan is completed. 

  • This mode provides high latency. 

  • Provides a block message if a threat detected. 

  • To enable the security profile, go to Security Profiles > Antivirus > Feature Set > select Proxy-based 

  • Ensure under the Firewall Policy, go to Policy & Objects > Firewall Policy > Inspection Mode > select Proxy-based 

Configuring AntiVirus 

• Go to, Security Profiles > AntiVirus 

• The default feature set is configured for Flow-based inspection. 

• After configuring an AntiVirus Policy, it needs to be applied to a Firewall Policy (Policy & Objects > Firewall Policy). 

• To scan encrypted protocols, ensure deep-inspection is selected for the SSL/SSH Inspection settings. 

• If the AntiVirus blocks a threat, an AV block page is shown with the following details: 

  • Name of the file 

  • Virus name 

  • Website or URL 

  • User name and group if authentication is enabled 

  • A reference link to FortiGuard 

Protocol Options 

• Protocol Options enables you specific custom port numbers for specific services. 

• For instance, assigning multiple port numbers for HTTP such as 80,8080. 

• Go to, Policy & Objects > Protocol Options 

AntiVirus Logs 

• Go to, Log & Report > Security Events 

• Go to, Log & Report > Forward Traffic (insert new column as 'Security Action' and 'Action') 

• Enable standalone dashboard, Dashboard > Top Destinations 

Best Practices 

• Enable AV scanning on all internet-based traffic 

• Use deep-inspection as compared to certificate-based inspection mode. 

• If possible, use the FortiSandbox Cloud or appliance and configure the AntiVirus profile to use the FortiSandbox database. 

• Do not increase the maximum file size to be scanned unless necessary. 

Troubleshooting 

• Check the FortiGuard license status, go to System > FortiGuard. 

• Use the execute update-av command to check for new antivirus updates. 

• Ensure FortiGate has an internet connection. 

• Check the FortiGuard antivirus database version on https://www.fortiguard.com/updates/antivirus and compare it to the FortiGate database version. 

• Useful commands: 

  • get system performance status – shows the virus statistics for the last one minute 

  • diagnose antivirus database-info – shows the current antivirus database information 

  • diagnose autoupdate versions – shows the current antivirus engine and signature versions 

  • diagnose antivirus test "get scantime" - displays scan times for infected files 

  • execute update-av – Checks for new antivirus updates