FortiGuard outbreak prevention allows the FortiGate antivirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard. The hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other third-party websites and services.
This feature provides the mechanism for antivirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.
The concept of FortiGuard outbreak prevention is to detect zero-day malware in a collaborative approach.
- FortiGuard outbreak prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
- FortiGuard outbreak prevention does not support AV in quick scan mode.
- FortiGate must be registered with a valid FortiGuard outbreak prevention license before this feature can be used.
In order for antivirus to work with an external block list, you must register the FortiGate with a FortiGuard outbreak prevention license and enable FortiGuard outbreak prevention in the antivirus profile.
- See the following link for instructions on how to purchase or renew a FortiGuard outbreak prevention license:
- Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.
- Go to Security Profiles > AntiVirus.
- Edit an antivirus profile, or create a new one.
- Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
- Click Apply.
- Check if FortiGate has outbreak prevention license:
# diagnose debug rating Locale : english Service : Web-filter Status : Enable License : Contract Service : Antispam Status : Disable Service : Virus Outbreak Prevention Status : Enable License : Contract -=- Server List (Tue Feb 19 16:36:15 2019) -=- IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time 192.168.100.185 -218 2 DI -8 113 0 0 Tue Feb 19 16:35:55 2019
- Scanunit daemon showing outbreak prevention verdict:
# diagnose debug application scanunit -1 Debug messages will be on for 30 minutes. # diagnose debug enable # su 4739 job 1 open su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0 su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0 su 4739 job 1 request info: su 4739 job 1 client 10.1.100.11:39412 server 172.16.200.44:80 su 4739 job 1 object_name 'zhvo_test.com' su 4739 file-typing NOT WANTED options 0x0 file_filter no su 4739 enable databases 0b (core mmdb extended) su 4739 job 1 begin http scan su 4739 scan file 'zhvo_test.com' bytes 68 su 4739 job 1 outbreak-prevention scan, level 0, filename 'zhvo_test.com' su 4739 scan result 0 su 4739 job 1 end http scan su 4739 job 1 inc pending tasks (1) su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0) su 4739 job 1 suspend su 4739 outbreak-prevention recv error su 4739 ftgd avquery id 0 status 1 su 4739 job 1 outbreak-prevention infected entryid=0 su 4739 report AVQUERY infection priority 1 su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0 su 4739 job 1 dec pending tasks 0 su 4739 job 1 send result su 4739 job 1 close su 4739 outbreak-prevention recv error