Fortinet black logo

Handbook

Setting AV quarantine policies

Setting AV quarantine policies

The “quarantined” daemon manages the infected or suspicious files. The quarantine destination can be either the local hard disk.

It’s a multi-process daemon, which receives quarantine requests from the AV daemon and then processes the requests in child processes. It can work in tandem with remote devices to compliment the AV service, such as sending suspicious files to FortiSandbox for deeper inspection or uploading the archive package onto FortiCloud.

In addition, it also manages the use of the storage space, listing the quarantined files, deleting expired files, overriding old files, or dropping new files when there is no enough storage space available.

Note: For the 5.0.0 release, the AV module only supports quarantine on the hard disk and the integration with FortiSandbox, as illustrated in AV quarantine process flow.

AV quarantine process flow

You can configure AV quarantine policies from the GUI or the Console.

Configuring AV quarantine policies from the GUI

To configure AV quarantine policies from the GUI:

  1. Click Network Security>Anti Virus.
  2. Click the Quarantine tab.
  3. Make the entries or selections as described in AV quarantine policy configuration.
  4. Click Save when done.

AV quarantine policy configuration

Settings Description
Destination

The destination for quarantined files, which could be either of the following:

  • NULL—Disable quarantine.
  • Disk—Send quarantined files to the hard disk.
Age Limit

The number of hours that quarantined files are kept on the hard disk. The default is 1 hour. Valid values range form 0 to 336 hours.

Note: If the age limit is set to 0 (zero), it means that there is no age limit and quarantined files will remain on the hard disk forever.

Max File Size

The maximum size (in KB) of a single file that can be quarantined. The default is 1024 (KB). Valid values range from 1 to 2048 KB.

Note: Files larger than the set Max File Size will not be quarantined. In reality, this value is subject the available quarantine quota that remains on the hard disk. For example, when there is less than 1024 KB of quarantine quota (disk space reserved for quarantined files) remaining, a file of 1024 KB in size still will not be quarantined even though you've set Max File Size to 1024.

Quarantine Quota

The amount of disk space reserved for quarantining files. The default is 512 MB. Valid values range from 0 to 1024 MB. If the value is set to 0, no files are quarantined.

Drop Infected

Select either or both of the following:

  • HTTP
  • HTTPS
  • SMTP

Note: By default neither option is selected, which means that both types of files are quarantined. If selected, files involving the specified protocol or protocols will be dropped (not quarantined).

Lowspace

Specify the way in which new files are handled when the system disk space is running low, which could be either of the following:

  • Override Old—Override old quarantine files with new ones.
  • Drop New—Drop new quarantine files to retain old ones.

Configuring AV quarantine policies from the Console

To configure an AV quarantine policy from the Console, execute the following commands:

config security antivirus quarantine

set destination {NULL | disk}

set agelimit <integer>

set maxfilesize <integer>

set quarantine-quota <integer>

set drop-infected { http | https | smtp}

set lowspace {drop-new | ovrw-old}

end

Setting AV quarantine policies

The “quarantined” daemon manages the infected or suspicious files. The quarantine destination can be either the local hard disk.

It’s a multi-process daemon, which receives quarantine requests from the AV daemon and then processes the requests in child processes. It can work in tandem with remote devices to compliment the AV service, such as sending suspicious files to FortiSandbox for deeper inspection or uploading the archive package onto FortiCloud.

In addition, it also manages the use of the storage space, listing the quarantined files, deleting expired files, overriding old files, or dropping new files when there is no enough storage space available.

Note: For the 5.0.0 release, the AV module only supports quarantine on the hard disk and the integration with FortiSandbox, as illustrated in AV quarantine process flow.

AV quarantine process flow

You can configure AV quarantine policies from the GUI or the Console.

Configuring AV quarantine policies from the GUI

To configure AV quarantine policies from the GUI:

  1. Click Network Security>Anti Virus.
  2. Click the Quarantine tab.
  3. Make the entries or selections as described in AV quarantine policy configuration.
  4. Click Save when done.

AV quarantine policy configuration

Settings Description
Destination

The destination for quarantined files, which could be either of the following:

  • NULL—Disable quarantine.
  • Disk—Send quarantined files to the hard disk.
Age Limit

The number of hours that quarantined files are kept on the hard disk. The default is 1 hour. Valid values range form 0 to 336 hours.

Note: If the age limit is set to 0 (zero), it means that there is no age limit and quarantined files will remain on the hard disk forever.

Max File Size

The maximum size (in KB) of a single file that can be quarantined. The default is 1024 (KB). Valid values range from 1 to 2048 KB.

Note: Files larger than the set Max File Size will not be quarantined. In reality, this value is subject the available quarantine quota that remains on the hard disk. For example, when there is less than 1024 KB of quarantine quota (disk space reserved for quarantined files) remaining, a file of 1024 KB in size still will not be quarantined even though you've set Max File Size to 1024.

Quarantine Quota

The amount of disk space reserved for quarantining files. The default is 512 MB. Valid values range from 0 to 1024 MB. If the value is set to 0, no files are quarantined.

Drop Infected

Select either or both of the following:

  • HTTP
  • HTTPS
  • SMTP

Note: By default neither option is selected, which means that both types of files are quarantined. If selected, files involving the specified protocol or protocols will be dropped (not quarantined).

Lowspace

Specify the way in which new files are handled when the system disk space is running low, which could be either of the following:

  • Override Old—Override old quarantine files with new ones.
  • Drop New—Drop new quarantine files to retain old ones.

Configuring AV quarantine policies from the Console

To configure an AV quarantine policy from the Console, execute the following commands:

config security antivirus quarantine

set destination {NULL | disk}

set agelimit <integer>

set maxfilesize <integer>

set quarantine-quota <integer>

set drop-infected { http | https | smtp}

set lowspace {drop-new | ovrw-old}

end