Fortinet black logo

Handbook

Scanning order

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:350664
Download PDF

Scanning order

The antivirus scanning function includes various modules and engines that perform separate tasks.

FortiOS has two different modes of antivirus scanning: proxy-based and flow-based. The reasons for the different modes are performance and granularity. In just about everything relating to security there is a constant balancing act going on. As the level of security and comprehensiveness increases, there is by necessity a decrease in either convenience or performance or both. The increase in processing to scan for more threats requires more resources; resources that are a finite supply on the hardware. Granularity can sometimes be used to mitigate performance impact by scanning for a smaller subset of traffic but this is only recommended when that smaller subset of traffic is the only traffic going through the firewall.

If the traffic on the device is slight, then the impact on the performance will hardly be noticeable. But if the unit is working close to capacity in terms of traffic and there are a lot of files coming through, then there might be a noticeable decline in the performance.

While both modes offer significant security, proxy-based is weighted towards being more thorough and easily configurable, while flow-based is designed to optimize performance.

Proxy-based antivirus scanning order

The following figure illustrates the antivirus scanning order when using proxy-based scanning. The first check for oversized files/email is to determine whether the file exceeds the configured size threshold. The uncompsizelimit check is to determine if the file can be buffered for file type and antivirus scanning. If the file is too large for the buffer, it is allowed to pass without being scanned. For more information, see the config antivirus service command. The antivirus scan includes scanning for viruses, as well as for grayware and heuristics, if enabled.

note icon

File filtering includes file pattern and file type scans which are applied at different stages in the antivirus process.

Antivirus scanning order when using the normal, extended, or extreme database

If a file fails any of the tasks of the antivirus scan, no further scans are performed. For example, if the file fakefile.EXE is recognized as a blocked file pattern, the FortiGate unit will send the end user a replacement message, and delete or quarantine the file. The unit will not perform virus scan, grayware, heuristics, and file type scans because the previous checks have already determined that the file is a threat and have dealt with it.

Flow-based antivirus scanning order

The following figure illustrates the antivirus scanning order when using flow-based scanning (i.e. the flow-based database). The antivirus scan takes place before any other antivirus-related scan. If file filter is not enabled, the file is not buffered. The antivirus scan includes scanning for viruses, as well as for grayware and heuristics if they are enabled.

Scanning order

The antivirus scanning function includes various modules and engines that perform separate tasks.

FortiOS has two different modes of antivirus scanning: proxy-based and flow-based. The reasons for the different modes are performance and granularity. In just about everything relating to security there is a constant balancing act going on. As the level of security and comprehensiveness increases, there is by necessity a decrease in either convenience or performance or both. The increase in processing to scan for more threats requires more resources; resources that are a finite supply on the hardware. Granularity can sometimes be used to mitigate performance impact by scanning for a smaller subset of traffic but this is only recommended when that smaller subset of traffic is the only traffic going through the firewall.

If the traffic on the device is slight, then the impact on the performance will hardly be noticeable. But if the unit is working close to capacity in terms of traffic and there are a lot of files coming through, then there might be a noticeable decline in the performance.

While both modes offer significant security, proxy-based is weighted towards being more thorough and easily configurable, while flow-based is designed to optimize performance.

Proxy-based antivirus scanning order

The following figure illustrates the antivirus scanning order when using proxy-based scanning. The first check for oversized files/email is to determine whether the file exceeds the configured size threshold. The uncompsizelimit check is to determine if the file can be buffered for file type and antivirus scanning. If the file is too large for the buffer, it is allowed to pass without being scanned. For more information, see the config antivirus service command. The antivirus scan includes scanning for viruses, as well as for grayware and heuristics, if enabled.

note icon

File filtering includes file pattern and file type scans which are applied at different stages in the antivirus process.

Antivirus scanning order when using the normal, extended, or extreme database

If a file fails any of the tasks of the antivirus scan, no further scans are performed. For example, if the file fakefile.EXE is recognized as a blocked file pattern, the FortiGate unit will send the end user a replacement message, and delete or quarantine the file. The unit will not perform virus scan, grayware, heuristics, and file type scans because the previous checks have already determined that the file is a threat and have dealt with it.

Flow-based antivirus scanning order

The following figure illustrates the antivirus scanning order when using flow-based scanning (i.e. the flow-based database). The antivirus scan takes place before any other antivirus-related scan. If file filter is not enabled, the file is not buffered. The antivirus scan includes scanning for viruses, as well as for grayware and heuristics if they are enabled.