Antivirus
FortiOS offers the unique ability to implement both flow-based and proxy-based antivirus concurrently, depending on the traffic type, users, and locations. Flow-based antivirus offers higher throughput performance.
FortiOS includes two preloaded antivirus profiles:
- default
- wifi-default
You can customize these profiles, or you can create your own to inspect certain protocols, remove viruses, analyze suspicious files with FortiSandbox, and apply botnet protection to network traffic. Once configured, you can add the antivirus profile to a firewall policy.
This functionality requires a subscription to FortiGuard Antivirus. |
Protocol comparison between antivirus inspection modes
The following table indicates which protocols can be inspected by the designated antivirus scan modes.
|
HTTP |
FTP |
IMAP |
POP3 |
SMTP |
NNTP |
MAPI |
CIFS |
SSH |
---|---|---|---|---|---|---|---|---|---|
Proxy |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes* |
Yes |
Flow |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Yes |
No |
* Proxy mode antivirus inspection on CIFS protocol has the following limitations:
- Cannot detect infections within some archive files.
- Cannot detect oversized files.
Other antivirus differences between inspection modes
Starting from 6.4.0, the scan mode option is no longer available for flow-based AV.
This means that AV no longer exclusively uses the default or legacy scan modes when handling traffic on flow-based firewall policies. Instead, AV in flow-based policies uses a hybrid of the two scan modes. Flow AV may use a pre-filtering database for malware detection in some circumstances as opposed to the full AV signature database in others. The scan method is determined by the IPS engine algorithm that is based on the type of file being scanned.
In contrast, proxy mode maintains the scan mode option, which can be toggled between default or legacy mode. In default mode, the WAD daemon uses a stream-based approach, while legacy mode disables this stream-based approach. Proxy default scan-mode uses pre-scanning and stream-based scanning for HTTP traffic.
Stream-based scanning provides the following AV improvements:
-
Archive files (ZIP, GZIP, BZIP2, TAR, ISO) that exceed the oversize limit are uncompressed and scanned for infections.
- The contents of large archive files are scanned without having to buffer the entire file.
- Small files are scanned locally by the WAD daemon if only AV scanning is needed in the policy.
- File filtering on HTTP/HTTPS is handled locally by the WAD daemon.
This means that the overall memory usage is optimized when an archive file is scanned, and better security is achieved by scanning archives that would otherwise be bypassed.
However, stream-based scanning has limitations on the more complex features that it can scan. For the following features, traffic will be automatically handed off to the scanunit daemon for scanning (as in the case of legacy mode):
- Heuristic AV scan
- DLP
- Quarantine
- FortiGuard outbreak prevention and external block list
- Content disarm
To configure the scan mode:
config antivirus profile edit <name> set feature-set proxy ... set scan-mode {default | legacy} next end
The following topics provide information about antivirus profiles:
- Databases
- Content disarm and reconstruction
- FortiGuard outbreak prevention
- External malware block list
- Checking flow antivirus statistics
- CIFS support
The following topics provide information about sandbox inspection with antivirus: