Setting AV quarantine policies
The “quarantined” daemon manages the infected or suspicious files. The quarantine destination can be either the local hard disk.
It’s a multi-process daemon, which receives quarantine requests from the AV daemon and then processes the requests in child processes. It can work in tandem with remote devices to compliment the AV service, such as sending suspicious files to FortiSandbox for deeper inspection or uploading the archive package onto FortiCloud.
In addition, it also manages the use of the storage space, listing the quarantined files, deleting expired files, overriding old files, or dropping new files when there is no enough storage space available.
Note: For the 5.0.0 release, the AV module only supports quarantine on the hard disk and the integration with FortiSandbox, as illustrated in AV quarantine process flow.
You can configure AV quarantine policies from the GUI or the Console.
Configuring AV quarantine policies from the GUI
To configure AV quarantine policies from the GUI:
- Click Network Security > AntiVirus.
- Click the Quarantine tab.
- Make the entries or selections as described in AV quarantine policy configuration.
- Click Save when done.
AV quarantine policy configuration
Settings | Description |
Destination |
The destination for quarantined files, which could be either of the following:
|
Age Limit |
The number of hours that quarantined files are kept on the hard disk. The default is 1 hour. Valid values range form 0 to 336 hours. Note: If the age limit is set to 0 (zero), it means that there is no age limit and quarantined files will remain on the hard disk forever. |
Max File Size |
The maximum size (in KB) of a single file that can be quarantined. The default is 1024 (KB). Valid values range from 1 to 2048 KB. Note: Files larger than the set Max File Size will not be quarantined. In reality, this value is subject the available quarantine quota that remains on the hard disk. For example, when there is less than 1024 KB of quarantine quota (disk space reserved for quarantined files) remaining, a file of 1024 KB in size still will not be quarantined even though you've set Max File Size to 1024. |
Quarantine Quota |
The amount of disk space reserved for quarantining files. The default is 512 MB. Valid values range from 0 to 1024 MB. If the value is set to 0, no files are quarantined. |
Drop Infected |
Select either or both of the following:
Note: By default neither option is selected, which means that both types of files are quarantined. If selected, files involving the specified protocol or protocols will be dropped (not quarantined). |
Lowspace |
Specify the way in which new files are handled when the system disk space is running low, which could be either of the following:
|
Configuring AV quarantine policies from the Console
To configure an AV quarantine policy from the Console, execute the following commands:
config security antivirus quarantine
set destination {NULL | disk}
set agelimit <integer>
set maxfilesize <integer>
set quarantine-quota <integer>
set drop-infected { http | https | smtp}
set lowspace {drop-new | ovrw-old}
end