Malware hash threat feed
A malware hash threat feed is a dynamic list that contains malware hashes and periodically updates from an external server. The list is stored in text file format on an external server. After the FortiGate imports this list, it is automatically used for virus outbreak prevention on antivirus profiles when Use external malware block list is enabled. Similar to FortiGuard outbreak prevention, the malware hash threat feed is not supported in AV quick scan mode.
Text file example:
292b2e6bb027cd4ff4d24e338f5c48de dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl 3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-Ransom.Win32.Locky.abfl
The file contains one malware hash per line. See External resources file format for more information about the malware hash list formatting style.
For optimal performance, do not mix different hashes in the list. Only use one MD5, SHA1, or SHA256. |
Example configuration
In this example, a list of malware hashes is imported using the malware threat feed. The newly created threat feed is applied to an antivirus profile, and the antivirus profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches the malware hashes in the threat feed list will be dropped.
To configure a malware hash threat feed in the GUI:
- Go to Security Fabric > External Connectors and click Create New.
- In the Threat Feeds section, click Malware Hash.
- Set the Name to AWS_Malware_Hash.
- Set the URI of external resource to https://s3.us-west-2.amazonaws.com/malware.txt.
- Configure the remaining settings as required, then click OK.
- Edit the connector, then click View Entries to view the hash list.
To configure a malware hash threat feed in the CLI:
config system external-resource edit "AWS_Malware_Hash" set type malware set resource "https://s3.us-west-2.amazonaws.com/malware.txt" next end
To apply a malware hash threat feed in an antivirus profile:
- Go to Security Profiles > AntiVirus and create a new web filter profile, or edit an existing one.
- Enable Use external malware block list.
-
Click the + and select AWS_Malware_Hash from the list.
- Configure the remaining settings as needed, then click OK.
To apply the antivirus profile in a firewall policy:
-
Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.
-
Configure the policy fields as required.
-
Under Security Profiles, enable AntiVirus and select the profile used in the previous procedure.
-
Set SSL Inspection to deep-inspection to inspect HTTPS traffic.
-
Enable Log Allowed Traffic.
-
Click OK.
To view the antivirus logs:
-
Go to Log & Report > AntiVirus.
-
View the log details in the GUI, or download the log file:
1: date=2023-02-03 time=15:42:41 eventtime=1675467761491047388 tz="-0800" logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=293915 srcip=172.20.120.13 dstip=192.168.10.13 srcport=53515 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 direction="incoming" filename="test.jpg" quarskip="Quarantine-disabled" virus="a1a74a39788854b75d454dc9c83c612b" viruscat="File Hash" dtype="external-blocklist" filehash="a1a74a39788854b75d454dc9c83c612b" filehashsrc="AWS_Malware_Hash" url="http://192.168.10.13/test.jpg" profile="default" agent="curl/7.55.1" httpmethod="GET" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
To verify the scanunit daemon:
# diagnose sys scanunit file-hash list malware 'a1a74a39788854b75d454dc9c83c612b' vf_id 0 uuid 15752 profile 'AWS_Malware_Hash' description ''
The list of external hashes has been updated.