Fortinet white logo
Fortinet white logo

Cookbook

External Block List (Threat Feed) - File Hashes

External Block List (Threat Feed) - File Hashes

The Malware Hash type of Threat Feed connector supports a list of file hashes that can be used as part of virus outbreak prevention.

To configure Malware Hash:
  1. Navigate to Security Fabric > Fabric Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.

    The Malware Hash source objects are displayed.

  3. To configure Malware Hash, fill in the Connector Settings section.

  4. Beside the Last Update field, click View Entries to display the external Malware Hash list contents.

New Malware value for external-resource parameter in CLI

FGT_PROXY (external-resource) # edit sha1_list
new entry 'sha1_list' added

FGT_PROXY (sha1_list) # set type ?
category    FortiGuard category.
address     Firewall IP address.
domain      Domain Name.
malware     Malware hash.
To configure external Malware Hash list sources in CLI:
config global
    config system external-resource
        edit "md5_list"
            set type malware
            set comments "List of md5 hashes only"
            set resource "http://172.16.200.44/outbreak/md5_list"
            set refresh-rate 30
        next
        edit "sha1_list"
            set type malware
            set comments "List of sha1 hashes only"
            set resource "http://172.16.200.44/outbreak/sha1_list"
            set refresh-rate 30
        next
        edit "sha256_list"
            set type malware
            set comments "List of sha256 hashes only"
            set resource "http://172.16.200.44/outbreak/sha256_list"
            set refresh-rate 30
        next
    end

end

Update to antivirus profile

In Security Profiles > AntiVirus, the Virus Outbreak Prevention section allows you to enable the following options:

  • Use Fortinet outbreak Prevention Database.
  • Use External Malware Block List.

To configure virus outbreak prevention options in CLI:

You must first enable outbreak-prevention in the protocol and then enable external-blocklist under outbreak-prevention.

config antivirus profile
    edit "av"
        set analytics-db enable
        config http
            set options scan
            set outbreak-prevention full-archive
        end
        config ftp
            set options scan
            set outbreak-prevention files
        end
        config imap
            set options scan
            set outbreak-prevention full-archive
        end
        config pop3
            set options scan
            set outbreak-prevention full-archive
        end
        config smtp
            set options scan
            set outbreak-prevention files
        end
        config mapi
            set options scan
            set outbreak-prevention full-archive
        end
        config nntp
            set options scan
            set outbreak-prevention full-archive
        end
        config smb
            set options scan
            set outbreak-prevention full-archive
        end
        config outbreak-prevention
            set ftgd-service enable
            set external-blocklist enable
        end
    next
end

Update to utm-virus category logs

This feature adds the fields filehash and filehashsrc to outbreak prevention detection events.

Example of the utm-virus log generated when a file is detected by FortiGuard queried outbreak prevention:

2: date=2018-07-30 time=13:57:59 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="root" evnttime=1532984279 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="HTTP" sessionid=174777 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37044 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="zhvo_test.com" checksum="583369a5" quarskip="No-skip" virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a"    filehashsrc="fortiguard" url="http://172.16.67.148/zhvo_test.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false" crscore=30 crlevel="high“

Example of the utm-virus log generated when a file is detected by External Malware Hash List outbreak prevention:

1: date=2018-07-30 time=13:59:41 logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" eventtime=1532984381 msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=174963 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37045 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="mhash_block.com" checksum="90f0cb57" quarskip="No-skip" virus="mhash_block.com" dtype="File Hash" filehash="93bdd30bd381b018b9d1b89e8e6d8753"    filehashsrc="test_list" url="http://172.16.67.148/mhash_block.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false"

Related Videos

sidebar video

External Dynamic Block List for Hashes

  • 9,176 views
  • 5 years ago

External Block List (Threat Feed) - File Hashes

External Block List (Threat Feed) - File Hashes

The Malware Hash type of Threat Feed connector supports a list of file hashes that can be used as part of virus outbreak prevention.

To configure Malware Hash:
  1. Navigate to Security Fabric > Fabric Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.

    The Malware Hash source objects are displayed.

  3. To configure Malware Hash, fill in the Connector Settings section.

  4. Beside the Last Update field, click View Entries to display the external Malware Hash list contents.

New Malware value for external-resource parameter in CLI

FGT_PROXY (external-resource) # edit sha1_list
new entry 'sha1_list' added

FGT_PROXY (sha1_list) # set type ?
category    FortiGuard category.
address     Firewall IP address.
domain      Domain Name.
malware     Malware hash.
To configure external Malware Hash list sources in CLI:
config global
    config system external-resource
        edit "md5_list"
            set type malware
            set comments "List of md5 hashes only"
            set resource "http://172.16.200.44/outbreak/md5_list"
            set refresh-rate 30
        next
        edit "sha1_list"
            set type malware
            set comments "List of sha1 hashes only"
            set resource "http://172.16.200.44/outbreak/sha1_list"
            set refresh-rate 30
        next
        edit "sha256_list"
            set type malware
            set comments "List of sha256 hashes only"
            set resource "http://172.16.200.44/outbreak/sha256_list"
            set refresh-rate 30
        next
    end

end

Update to antivirus profile

In Security Profiles > AntiVirus, the Virus Outbreak Prevention section allows you to enable the following options:

  • Use Fortinet outbreak Prevention Database.
  • Use External Malware Block List.

To configure virus outbreak prevention options in CLI:

You must first enable outbreak-prevention in the protocol and then enable external-blocklist under outbreak-prevention.

config antivirus profile
    edit "av"
        set analytics-db enable
        config http
            set options scan
            set outbreak-prevention full-archive
        end
        config ftp
            set options scan
            set outbreak-prevention files
        end
        config imap
            set options scan
            set outbreak-prevention full-archive
        end
        config pop3
            set options scan
            set outbreak-prevention full-archive
        end
        config smtp
            set options scan
            set outbreak-prevention files
        end
        config mapi
            set options scan
            set outbreak-prevention full-archive
        end
        config nntp
            set options scan
            set outbreak-prevention full-archive
        end
        config smb
            set options scan
            set outbreak-prevention full-archive
        end
        config outbreak-prevention
            set ftgd-service enable
            set external-blocklist enable
        end
    next
end

Update to utm-virus category logs

This feature adds the fields filehash and filehashsrc to outbreak prevention detection events.

Example of the utm-virus log generated when a file is detected by FortiGuard queried outbreak prevention:

2: date=2018-07-30 time=13:57:59 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="root" evnttime=1532984279 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="HTTP" sessionid=174777 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37044 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="zhvo_test.com" checksum="583369a5" quarskip="No-skip" virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a"    filehashsrc="fortiguard" url="http://172.16.67.148/zhvo_test.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false" crscore=30 crlevel="high“

Example of the utm-virus log generated when a file is detected by External Malware Hash List outbreak prevention:

1: date=2018-07-30 time=13:59:41 logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" eventtime=1532984381 msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=174963 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37045 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="mhash_block.com" checksum="90f0cb57" quarskip="No-skip" virus="mhash_block.com" dtype="File Hash" filehash="93bdd30bd381b018b9d1b89e8e6d8753"    filehashsrc="test_list" url="http://172.16.67.148/mhash_block.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false"