Create or edit an antivirus profile
Click Create New to open the Create AntiVirus Profile window.
Select an antivirus profile and then click Edit to open the Edit AntiVirus Profile window.
Configure the following settings in the Create AntiVirus Profile window and then click OK:
|
Name |
Enter the name of the antivirus profile. |
||
|
Comments |
Optionally, enter a description of the profile. |
||
|
Options |
For each protocol, enable or disable antivirus scanning, blocking, and monitoring. |
||
|
Outbreak Prevention |
FortiGuard Virus Outbreak Protection Service (VOS) allows the FortiProxy antivirus database to be subsidized with third-party malware hash signatures curated by FortiGuard. The hash signatures are obtained from FortiGuard's Global Threat Intelligence database. The antivirus database queries FortiGuard with the hash of a scanned file. If FortiGuard returns a match, the scanned file is deemed to be malicious. Enabling the AV engine scan is not required to use this feature. |
||
|
Scanning Files by FortiNDR Server |
For each protocol, select to disable, block, or monitor. Refer to Using FortiNDR inline scanning with antivirus for more details.
|
||
|
Content Disarm |
Content disarm and reconstruction (CDR) allows the FortiProxy unit to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction). It allows network administrators to protect their users from malicious document files. Files processed by CDR can be stored locally for quarantine on FortiAnalyzer, FortiSandbox, or FortiProxy models with a hard disk. The original copies can also be obtained in the event of a false positive. CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and client-comfort mode are not supported. |
||
|
Archive Block |
For each protocol, select the file types to block. |
||
|
Archive Log |
For each protocol, select the file types to log. |
||
|
Send Files to FortiSandbox Cloud for Inspection |
If you want files to be inspected by FortiSandbox Cloud, select Suspicious or everything. Refer to Using FortiSandbox post-transfer scanning with antivirus for more details. |
||
|
Use FortiSandbox Database |
Enable this option to use the FortiSandbox database. |
||
|
Include Mobile Malware Protection |
Enable this option to protect mobile devices from malware. |
||
|
API Preview |
The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions. |
To use the API Preview:
-
Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.
-
Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.
-
Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.
-
Click Close to leave the preview.
Stream-based antivirus scan for FTP, SFTP, and SCP
Stream-based antivirus scanning is supported for FTP, SFTP, and SCP protocols.
-
Stream-based antivirus scanning optimizes memory usage for large archive files by decompressing the files on the fly and scanning the files as they are extracted.
-
File types can be determined after scanning a few KB, without buffering the entire file.
-
Viruses can be detected even if they are hiding in the middle or end of a large archive.
-
When scanning smaller files, traffic throughput is improved by scanning the files directly on the proxy based WAD daemon, without invoking scanunit.
Stream-based scanning is the default scan mode. To disable steam-based scanning, the scan mode can be set to legacy mode, and the archive will only be scanned after the entire file has been received.
To configure stream-based scan:
config antivirus profile
edit <string>
...
set scan-mode {default* | legacy}
...
next
end
Configuring threat feed and outbreak prevention without AV engine scan
In the CLI, users can enable malware threat feeds and outbreak prevention without performing an antivirus scan. In the GUI and CLI, users can choose to use all malware thread feeds, or specify the ones that they want to use. Replacement messages have been updated for external block lists.
config antivirus profile
edit <name>
config http
set av-scan {disable | block | monitor}
set outbreak-prevention {disable | block | monitor}
set external-blocklist {disable | block | monitor}
set quarantine {enable | disable}
end
...
set outbreak-prevention-archive-scan {enable | disable}
set external-blocklist-enable-all {enable | disable}
set external-blocklist <source>
next
end
To configure malware threat feeds and outbreak prevention without performing an AV scan in the CLI:
config antivirus profile
edit "Demo"
set mobile-malware-db enable
config http
set av-scan disable
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set content-disarm disable
end
config ftp
set av-scan disable
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
end
config imap
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
set content-disarm disable
end
config pop3
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
set content-disarm disable
end
config smtp
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
set content-disarm disable
end
config mapi
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
set executables default
end
config nntp
set av-scan disable
set outbreak-prevention disable
set external-blocklist disable
set quarantine disable
set emulator enable
end
config cifs
set av-scan monitor
set outbreak-prevention block
set external-blocklist block
set quarantine enable
set emulator enable
end
config ssh
set av-scan disable
set outbreak-prevention disable
set external-blocklist disable
set quarantine disable
set emulator enable
end
set outbreak-prevention-archive-scan enable
set external-blocklist-enable-all disable
set external-blocklist "malhash1"
set av-virus-log enable
set av-block-log enable
set extended-log disable
set scan-mode default
next
end
In this example, configuring the quarantine setting is done in each protocol (set quarantine). The malware threat feed is also specified (set external-blocklist-enable-all disable) to the threat connector, malhash1 (set external-blocklist "malhash1").
Content disarm and reconstruction for antivirus
Content disarm and reconstruction (CDR) allows the FortiProxy to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction). It allows network administrators to protect their users from malicious document files.
Files processed by CDR can be stored locally for quarantine on FortiAnalyzer, FortiSandbox, or FortiProxy models with a hard disk. The original copies can also be obtained in the event of a false positive.
CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and client-comfort mode are not supported.
Support and limitations
- CDR can only be performed on Microsoft Office documents and PDF files.
- Local Disk CDR quarantine is only possible on FortiProxy models that contain a hard disk.
- CDR is only supported on HTTP, SMTP, POP3, IMAP.
- SMTP splice and client-comfort mode is not supported.
- CDR can only work on files in .ZIP type archives.
Configuring the feature
To configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and then fine tune the CDR detection parameters.
To configure CDR:
-
Go to Security Profiles > AntiVirus.
-
Edit an antivirus profile or create a new one.
-
Under Content Disarm, enable the options that you want.
-
Select a quarantine location from the available options:
-
FortiSandbox—Saves the original document file to a connected FortiSandbox.
-
File Quarantine—Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiProxy log settings (
config log fortianalyzer setting). -
Discard—The default setting, which discards the original document file.
-
- Select the action that is taken when an error occurs:
- Block—Block file when there is a CDR error.
- Log Only—Log the CDR error but allow the file to pass.
- Ignore—When there is a CDR error, let the file pass but do not log the error.
- Click OK.
To edit the CDR detection parameters:
By default, stripping of all active Microsoft Office and PDF content types are enabled. In this example, stripping macros in Microsoft Office documents is disabled.
config antivirus profile
edit <antivirus_profile_name>
config content-disarm
set office-macro disable
set detect-only {enable | disable}
set cover-page {enable | disable}
set error-action {block | log-only | ignore}
end
next
end
Where:
|
detect-only |
Only detect disarmable files, do not alter content. Disabled by default. |
|
cover-page |
Attach a cover page to the fileʼs content when the file has been processed by CDR. Enabled by default. |