Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

antivirus profile

Create and configure antivirus profiles that can be applied to firewall policies. Antivirus profiles configure how virus scanning is applied to sessions accepted by a firewall policy that includes the antivirus profile.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config <protocol>

set content-disarm {enable | disable}

end

config content-disarm

set original-file-destination {fortisandbox | quarantine | discard}

set office-macro {enable | disable}

set office-hylink {enable | disable}

set office-linked {enable | disable}

set office-embed {enable | disable}

set pdf-javacode {enable | disable}

set pdf-embedfile {enable | disable}

set pdf-act-gotor {enable | disable}

set pdf-act-launch {enable | disable}

set pdf-act-uri {enable | disable}

set pdf-act-sound {enable | disable}

set pdf-act-movie {enable | disable}

set pdf-act-java {enable | disable}

set pdf-act-form {enable | disable}

set cover-page {enable | disable}

set detect-only {enable | disable}

next

...

Content Disarm and Reconstruction (CDR) is used to remove exploitable content and replace it with content that is known to be safe. The use of CDR is enabled or disabled separately for each protocol in the profile.

Note that all CDR commands are only available when you set the profile's inspection-mode to proxy; CDR is not supported in Flow mode.

set extended-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config <protocol>

set outbreak-prevention {disabled | files | full-archive}

next

...

Outbreak prevention uses checksums to filter files in order to preempt and prevent quick virus outbreaks before AV signatures are created.

Setting full-archive analyzes files including the contents of archives, as opposed to files which does not include the contents of archives.

Note that outbreak-prevention is only available when options is set to scan.

config <protocol>

set archive-block {partiallycorrupted | fileslimit | timeout | ...}

set archive-log {partiallycorrupted | fileslimit | timeout | ...}

next

...

Additional options for file blocking and event logging of certain AntiVirus errors. Determine whether to block partially corrupted archives, exceeded archive files limit, and/or log scan timeout.
config antivirus profile
    edit {name}
    # Configure AntiVirus profiles.
        set name {string}   Profile name. size[35]
        set comment {string}   Comment. size[255]
        set replacemsg-group {string}   Replacement message group customized for this profile. size[35] - datasource(s): system.replacemsg-group.name
        set inspection-mode {proxy | flow-based}   Inspection mode.
                proxy       Proxy-based inspection.
                flow-based  Flow-based inspection.
        set ftgd-analytics {disable | suspicious | everything}   Settings to control which files are uploaded to FortiSandbox.
                disable     Do not upload files to FortiSandbox.
                suspicious  Submit files supported by FortiSandbox if heuristics or other methods determine they are suspicious.
                everything  Submit all files scanned by AntiVirus to FortiSandbox. AntiVirus may not scan all files.
        set analytics-max-upload {integer}   Maximum size of files that can be uploaded to FortiSandbox (1 - 395 MBytes, default = 10). range[1-1606]
        set analytics-wl-filetype {integer}   Do not submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id
        set analytics-bl-filetype {integer}   Only submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id
        set analytics-db {disable | enable}   Enable/disable using the FortiSandbox signature database to supplement the AV signature databases.
        set mobile-malware-db {disable | enable}   Enable/disable using the mobile malware signature database.
        config http
            set options {scan | avmonitor | quarantine}   Enable/disable HTTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable HTTP antivirus scanning.
                    avmonitor   Enable HTTP antivirus logging.
                    quarantine  Enable HTTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config ftp
            set options {scan | avmonitor | quarantine}   Enable/disable FTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable FTP antivirus scanning.
                    avmonitor   Enable FTP antivirus logging.
                    quarantine  Enable FTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config imap
            set options {scan | avmonitor | quarantine}   Enable/disable IMAP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable IMAP antivirus scanning.
                    avmonitor   Enable IMAP antivirus logging.
                    quarantine  Enable IMAP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config pop3
            set options {scan | avmonitor | quarantine}   Enable/disable POP3 AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable POP3 antivirus scanning.
                    avmonitor   Enable POP3 antivirus logging.
                    quarantine  Enable POP3 antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config smtp
            set options {scan | avmonitor | quarantine}   Enable/disable SMTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable SMTP antivirus scanning.
                    avmonitor   Enable SMTP antivirus logging.
                    quarantine  Enable SMTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config mapi
            set options {scan | avmonitor | quarantine}   Enable/disable MAPI AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable MAPI antivirus scanning.
                    avmonitor   Enable MAPI antivirus logging.
                    quarantine  Enable MAPI antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config nntp
            set options {scan | avmonitor | quarantine}   Enable/disable NNTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable NNTP antivirus scanning.
                    avmonitor   Enable NNTP antivirus logging.
                    quarantine  Enable NNTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config smb
            set options {scan | avmonitor | quarantine}   Enable/disable SMB AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable SMB antivirus scanning.
                    avmonitor   Enable SMB antivirus logging.
                    quarantine  Enable SMB antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config nac-quar
            set infected {none | quar-src-ip}   Enable/Disable quarantining infected hosts to the banned user list.
                    none         Do not quarantine infected hosts.
                    quar-src-ip  Quarantine all traffic from the infected hosts source IP.
            set expiry {string}   Duration of quarantine.
            set log {enable | disable}   Enable/disable AntiVirus quarantine logging.
        config content-disarm
            set original-file-destination {fortisandbox | quarantine | discard}   Destination to send original file if active content is removed.
                    fortisandbox  Send original file to configured FortiSandbox.
                    quarantine    Send original file to quarantine.
                    discard       Original file will be discarded after content disarm.
            set office-macro {disable | enable}   Enable/disable stripping of macros in Microsoft Office documents.
            set office-hylink {disable | enable}   Enable/disable stripping of hyperlinks in Microsoft Office documents.
            set office-linked {disable | enable}   Enable/disable stripping of linked objects in Microsoft Office documents.
            set office-embed {disable | enable}   Enable/disable stripping of embedded objects in Microsoft Office documents.
            set pdf-javacode {disable | enable}   Enable/disable stripping of JavaScript code in PDF documents.
            set pdf-embedfile {disable | enable}   Enable/disable stripping of embedded files in PDF documents.
            set pdf-hyperlink {disable | enable}   Enable/disable stripping of hyperlinks from PDF documents.
            set pdf-act-gotor {disable | enable}   Enable/disable stripping of links to other PDFs in PDF documents.
            set pdf-act-launch {disable | enable}   Enable/disable stripping of links to external applications in PDF documents.
            set pdf-act-sound {disable | enable}   Enable/disable stripping of embedded sound files in PDF documents.
            set pdf-act-movie {disable | enable}   Enable/disable stripping of embedded movies in PDF documents.
            set pdf-act-java {disable | enable}   Enable/disable stripping of actions that execute JavaScript code in PDF documents.
            set pdf-act-form {disable | enable}   Enable/disable stripping of actions that submit data to other targets in PDF documents.
            set cover-page {disable | enable}   Enable/disable inserting a cover page into the disarmed document.
            set detect-only {disable | enable}   Enable/disable only detect disarmable files, do not alter content.
        set av-virus-log {enable | disable}   Enable/disable AntiVirus logging.
        set av-block-log {enable | disable}   Enable/disable logging for AntiVirus file blocking.
        set extended-log {enable | disable}   Enable/disable extended logging for antivirus.
        set scan-mode {quick | full}   Choose between full scan mode and quick scan mode.
                quick  Use quick mode scanning. Quick mode uses a smaller database and may be less accurate. Full mode is recommended.
                full   Full mode virus scanning. Recommended scanning mode. More accurate than quick mode with similar performance.
    next
end

Additional information

The following section is for those options that require additional explanation.

analytics-bl-filetype {1 | 2 | <filepattern_id>}

Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.

File type pattern to blacklist and submit to FortiGuard Analytics:

  • 1: Builtin patterns
  • 2: All executables
  • <filepattern_id>: Identifier of a defined filepattern. See DLP filepattern for more information.

analytics-db {enable | disable}

Enable or disable (by default) using antivirus signatures from the FortiSandbox's database as well as signatures from the FortiGate.

analytics-max-upload <mb>

Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.

Maximum file size that can be scanned in megabytes. Set the value between 1-200. The default value is set to 10.

analytics-wl-filetype {1 | 2 | <filepattern_id>}

Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.

File type pattern to whitelist and submit to FortiGuard Analytics:

  • 1: Builtin patterns
  • 2: All executables
  • <filepattern_id>: Identifier of a defined filepattern. See DLP filepattern for more information.

av-block-log {enable | disable}

Enable (by default) or disable logging files that are blocked by antivirus.

av-virus-log {enable | disable}

Enable (by default) or disable logging for antivirus scanning.

ftgd-analytics {disable | suspicious | everything}

Choose which files are sent to FortiSandbox for further inspection. Select between the following options:

  • disable: No files are sent for inspection (set by default).
  • suspicious: Files that the antivirus engine deems suspicious as sent for inspection.
  • everything: All files are sent for inspection.

inspection-mode {proxy | flow-based}

Set the inspection mode. Select between the following options:

  • proxy: Scanning reconstructs content passing through the FortiGate unit and inspects the content for security threats.
  • flow-based: Scanning takes a snapshot of content packets and uses pattern matching to identify security threats in the content (set by default).

mobile-malware-db {enable | disable}

Enable (by default) or disable using antivirus signatures from the mobile malware signature database as well as signatures from the FortiGate.

replacemsg-group <group-name>

Set a replacement message group to use with antivirus scanning.

scan-mode {quick | full}

Note: This entry is only available when inspection-mode is set to flow-based.

Choose which scan mode to use for antivirus inspection. Select from the following options:

  • quick: This mode uses a compact antivirus database and advanced techniques to improve performance.
  • full: In this mode, content packets are buffered while simultaneously being sent to their destination (set by default).

config {http | ftp | imap | pop3 | smtp | mapi | nntp | smb}

Note: MAPI and NNTP are not configurable for all FortiGate models.

Configure how this profile handles specific protocols.

archive-block {encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled}

Set which types of archived files to block.

archive-log {encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled}

Set which types of archived files to log.

content-disarm {enable | disable}

Note: This entry is only available when inspection-mode of the profile is set to proxy.

Enable or disable (by default) Content Disarm and Reconstruction (CDR) for this protocol. CDR is used to remove exploitable content and replace it with content that is known to be safe. As the files are processed through an enabled Proxy-based AntiVirus profile, content that is deemed malicious or unsafe is replaced with content that will allow the traffic to continue, but not put the recipient at risk. Archived ZIP folders can also be processed.

The use of CDR is enabled or disabled separately for each protocol in the profile. This feature is not supported for FTP or MAPI.

Once enabled, a warning will appear showing that all original files subjected to CDR will be discarded. Use the config content disarm configuration method to set various CDR options, including the original-file-destination in order to retrieve the original files.

emulator {enable | disable}

Enable (by default) or disable the virus emulator.

executables {default | virus}

Note: This entry is only available when configuring IMAP, POP3, SMTP, and MAPI.

Set how this profile treats executable files sent with this protocol. Select from the following options:

  • default: Perform standard antivirus scanning (set by default).
  • virus: Treat executable files as viruses.

options {scan | avmonitor | quarantine}

Set an action to apply to traffic using this protocol. Select from the following options:

  • scan: Scan files transferred using this protocol for viruses.
  • avmonitor: Log detected viruses, but allow them through the firewall without modification.
  • quarantine: Quarantine files that contain viruses. This feature is available for FortiGates with a hard disk or those connected to a FortiAnalyzer.

config nac-quar

Configure the quarantine settings for this profile.

expiry <duration>

Note: This entry is only available when infected is set to quar-src-ip.

Set the duration of the quarantine in the days, hours, minutes format <###d##h##m>. The default is 5 minutes.

infected {none | quar-src-ip}

Set which infected hosts are added to the banned user list. Select from the following options:

  • none: No hosts are banned (set by default).
  • quar-src-ip: All traffic from the source IP is banned.

log {enable | disable}

Enable or disable (by default) logging for antivirus quarantines.

config content disarm

Use this configuration method to set AntiVirus CDR settings, including an original file destination for files to be sent to (if not discarded), and enable or disable stripping of various content such as hyperlinks and embedded objects in various document types.

antivirus profile

Create and configure antivirus profiles that can be applied to firewall policies. Antivirus profiles configure how virus scanning is applied to sessions accepted by a firewall policy that includes the antivirus profile.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config <protocol>

set content-disarm {enable | disable}

end

config content-disarm

set original-file-destination {fortisandbox | quarantine | discard}

set office-macro {enable | disable}

set office-hylink {enable | disable}

set office-linked {enable | disable}

set office-embed {enable | disable}

set pdf-javacode {enable | disable}

set pdf-embedfile {enable | disable}

set pdf-act-gotor {enable | disable}

set pdf-act-launch {enable | disable}

set pdf-act-uri {enable | disable}

set pdf-act-sound {enable | disable}

set pdf-act-movie {enable | disable}

set pdf-act-java {enable | disable}

set pdf-act-form {enable | disable}

set cover-page {enable | disable}

set detect-only {enable | disable}

next

...

Content Disarm and Reconstruction (CDR) is used to remove exploitable content and replace it with content that is known to be safe. The use of CDR is enabled or disabled separately for each protocol in the profile.

Note that all CDR commands are only available when you set the profile's inspection-mode to proxy; CDR is not supported in Flow mode.

set extended-log {enable | disable}

When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens.

Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for.

config <protocol>

set outbreak-prevention {disabled | files | full-archive}

next

...

Outbreak prevention uses checksums to filter files in order to preempt and prevent quick virus outbreaks before AV signatures are created.

Setting full-archive analyzes files including the contents of archives, as opposed to files which does not include the contents of archives.

Note that outbreak-prevention is only available when options is set to scan.

config <protocol>

set archive-block {partiallycorrupted | fileslimit | timeout | ...}

set archive-log {partiallycorrupted | fileslimit | timeout | ...}

next

...

Additional options for file blocking and event logging of certain AntiVirus errors. Determine whether to block partially corrupted archives, exceeded archive files limit, and/or log scan timeout.
config antivirus profile
    edit {name}
    # Configure AntiVirus profiles.
        set name {string}   Profile name. size[35]
        set comment {string}   Comment. size[255]
        set replacemsg-group {string}   Replacement message group customized for this profile. size[35] - datasource(s): system.replacemsg-group.name
        set inspection-mode {proxy | flow-based}   Inspection mode.
                proxy       Proxy-based inspection.
                flow-based  Flow-based inspection.
        set ftgd-analytics {disable | suspicious | everything}   Settings to control which files are uploaded to FortiSandbox.
                disable     Do not upload files to FortiSandbox.
                suspicious  Submit files supported by FortiSandbox if heuristics or other methods determine they are suspicious.
                everything  Submit all files scanned by AntiVirus to FortiSandbox. AntiVirus may not scan all files.
        set analytics-max-upload {integer}   Maximum size of files that can be uploaded to FortiSandbox (1 - 395 MBytes, default = 10). range[1-1606]
        set analytics-wl-filetype {integer}   Do not submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id
        set analytics-bl-filetype {integer}   Only submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id
        set analytics-db {disable | enable}   Enable/disable using the FortiSandbox signature database to supplement the AV signature databases.
        set mobile-malware-db {disable | enable}   Enable/disable using the mobile malware signature database.
        config http
            set options {scan | avmonitor | quarantine}   Enable/disable HTTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable HTTP antivirus scanning.
                    avmonitor   Enable HTTP antivirus logging.
                    quarantine  Enable HTTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config ftp
            set options {scan | avmonitor | quarantine}   Enable/disable FTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable FTP antivirus scanning.
                    avmonitor   Enable FTP antivirus logging.
                    quarantine  Enable FTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config imap
            set options {scan | avmonitor | quarantine}   Enable/disable IMAP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable IMAP antivirus scanning.
                    avmonitor   Enable IMAP antivirus logging.
                    quarantine  Enable IMAP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config pop3
            set options {scan | avmonitor | quarantine}   Enable/disable POP3 AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable POP3 antivirus scanning.
                    avmonitor   Enable POP3 antivirus logging.
                    quarantine  Enable POP3 antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config smtp
            set options {scan | avmonitor | quarantine}   Enable/disable SMTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable SMTP antivirus scanning.
                    avmonitor   Enable SMTP antivirus logging.
                    quarantine  Enable SMTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
            set content-disarm {disable | enable}   Enable Content Disarm and Reconstruction for this protocol.
        config mapi
            set options {scan | avmonitor | quarantine}   Enable/disable MAPI AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable MAPI antivirus scanning.
                    avmonitor   Enable MAPI antivirus logging.
                    quarantine  Enable MAPI antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set executables {default | virus}   Treat Windows executable files as viruses for the purpose of blocking or monitoring.
                    default  Perform standard AntiVirus scanning of Windows executable files.
                    virus    Treat Windows executables as viruses.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config nntp
            set options {scan | avmonitor | quarantine}   Enable/disable NNTP AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable NNTP antivirus scanning.
                    avmonitor   Enable NNTP antivirus logging.
                    quarantine  Enable NNTP antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config smb
            set options {scan | avmonitor | quarantine}   Enable/disable SMB AntiVirus scanning, monitoring, and quarantine.
                    scan        Enable SMB antivirus scanning.
                    avmonitor   Enable SMB antivirus logging.
                    quarantine  Enable SMB antivirus quarantine. Files are quarantined depending on quarantine settings.
            set archive-block {option}   Select the archive types to block.
                    encrypted           Block encrypted archives.
                    corrupted           Block corrupted archives.
                    partiallycorrupted  Block partially corrupted archives.
                    multipart           Block multipart archives.
                    nested              Block nested archives.
                    mailbomb            Block mail bomb archives.
                    fileslimit          Block exceeded archive files limit.
                    timeout             Block scan timeout.
                    unhandled           Block archives that FortiOS cannot open.
            set archive-log {option}   Select the archive types to log.
                    encrypted           Log encrypted archives.
                    corrupted           Log corrupted archives.
                    partiallycorrupted  Log partially corrupted archives.
                    multipart           Log multipart archives.
                    nested              Log nested archives.
                    mailbomb            Log mail bomb archives.
                    fileslimit          Log exceeded archive files limit.
                    timeout             Log scan timeout.
                    unhandled           Log archives that FortiOS cannot open.
            set emulator {enable | disable}   Enable/disable the virus emulator.
            set outbreak-prevention {disabled | files | full-archive}   Enable FortiGuard Virus Outbreak Prevention service.
                    disabled      Disabled.
                    files         Analyze files as sent, not the content of archives.
                    full-archive  Analyze files including the content of archives.
        config nac-quar
            set infected {none | quar-src-ip}   Enable/Disable quarantining infected hosts to the banned user list.
                    none         Do not quarantine infected hosts.
                    quar-src-ip  Quarantine all traffic from the infected hosts source IP.
            set expiry {string}   Duration of quarantine.
            set log {enable | disable}   Enable/disable AntiVirus quarantine logging.
        config content-disarm
            set original-file-destination {fortisandbox | quarantine | discard}   Destination to send original file if active content is removed.
                    fortisandbox  Send original file to configured FortiSandbox.
                    quarantine    Send original file to quarantine.
                    discard       Original file will be discarded after content disarm.
            set office-macro {disable | enable}   Enable/disable stripping of macros in Microsoft Office documents.
            set office-hylink {disable | enable}   Enable/disable stripping of hyperlinks in Microsoft Office documents.
            set office-linked {disable | enable}   Enable/disable stripping of linked objects in Microsoft Office documents.
            set office-embed {disable | enable}   Enable/disable stripping of embedded objects in Microsoft Office documents.
            set pdf-javacode {disable | enable}   Enable/disable stripping of JavaScript code in PDF documents.
            set pdf-embedfile {disable | enable}   Enable/disable stripping of embedded files in PDF documents.
            set pdf-hyperlink {disable | enable}   Enable/disable stripping of hyperlinks from PDF documents.
            set pdf-act-gotor {disable | enable}   Enable/disable stripping of links to other PDFs in PDF documents.
            set pdf-act-launch {disable | enable}   Enable/disable stripping of links to external applications in PDF documents.
            set pdf-act-sound {disable | enable}   Enable/disable stripping of embedded sound files in PDF documents.
            set pdf-act-movie {disable | enable}   Enable/disable stripping of embedded movies in PDF documents.
            set pdf-act-java {disable | enable}   Enable/disable stripping of actions that execute JavaScript code in PDF documents.
            set pdf-act-form {disable | enable}   Enable/disable stripping of actions that submit data to other targets in PDF documents.
            set cover-page {disable | enable}   Enable/disable inserting a cover page into the disarmed document.
            set detect-only {disable | enable}   Enable/disable only detect disarmable files, do not alter content.
        set av-virus-log {enable | disable}   Enable/disable AntiVirus logging.
        set av-block-log {enable | disable}   Enable/disable logging for AntiVirus file blocking.
        set extended-log {enable | disable}   Enable/disable extended logging for antivirus.
        set scan-mode {quick | full}   Choose between full scan mode and quick scan mode.
                quick  Use quick mode scanning. Quick mode uses a smaller database and may be less accurate. Full mode is recommended.
                full   Full mode virus scanning. Recommended scanning mode. More accurate than quick mode with similar performance.
    next
end

Additional information

The following section is for those options that require additional explanation.

analytics-bl-filetype {1 | 2 | <filepattern_id>}

Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.

File type pattern to blacklist and submit to FortiGuard Analytics:

  • 1: Builtin patterns
  • 2: All executables
  • <filepattern_id>: Identifier of a defined filepattern. See DLP filepattern for more information.

analytics-db {enable | disable}

Enable or disable (by default) using antivirus signatures from the FortiSandbox's database as well as signatures from the FortiGate.

analytics-max-upload <mb>

Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.

Maximum file size that can be scanned in megabytes. Set the value between 1-200. The default value is set to 10.

analytics-wl-filetype {1 | 2 | <filepattern_id>}

Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.

File type pattern to whitelist and submit to FortiGuard Analytics:

  • 1: Builtin patterns
  • 2: All executables
  • <filepattern_id>: Identifier of a defined filepattern. See DLP filepattern for more information.

av-block-log {enable | disable}

Enable (by default) or disable logging files that are blocked by antivirus.

av-virus-log {enable | disable}

Enable (by default) or disable logging for antivirus scanning.

ftgd-analytics {disable | suspicious | everything}

Choose which files are sent to FortiSandbox for further inspection. Select between the following options:

  • disable: No files are sent for inspection (set by default).
  • suspicious: Files that the antivirus engine deems suspicious as sent for inspection.
  • everything: All files are sent for inspection.

inspection-mode {proxy | flow-based}

Set the inspection mode. Select between the following options:

  • proxy: Scanning reconstructs content passing through the FortiGate unit and inspects the content for security threats.
  • flow-based: Scanning takes a snapshot of content packets and uses pattern matching to identify security threats in the content (set by default).

mobile-malware-db {enable | disable}

Enable (by default) or disable using antivirus signatures from the mobile malware signature database as well as signatures from the FortiGate.

replacemsg-group <group-name>

Set a replacement message group to use with antivirus scanning.

scan-mode {quick | full}

Note: This entry is only available when inspection-mode is set to flow-based.

Choose which scan mode to use for antivirus inspection. Select from the following options:

  • quick: This mode uses a compact antivirus database and advanced techniques to improve performance.
  • full: In this mode, content packets are buffered while simultaneously being sent to their destination (set by default).

config {http | ftp | imap | pop3 | smtp | mapi | nntp | smb}

Note: MAPI and NNTP are not configurable for all FortiGate models.

Configure how this profile handles specific protocols.

archive-block {encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled}

Set which types of archived files to block.

archive-log {encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled}

Set which types of archived files to log.

content-disarm {enable | disable}

Note: This entry is only available when inspection-mode of the profile is set to proxy.

Enable or disable (by default) Content Disarm and Reconstruction (CDR) for this protocol. CDR is used to remove exploitable content and replace it with content that is known to be safe. As the files are processed through an enabled Proxy-based AntiVirus profile, content that is deemed malicious or unsafe is replaced with content that will allow the traffic to continue, but not put the recipient at risk. Archived ZIP folders can also be processed.

The use of CDR is enabled or disabled separately for each protocol in the profile. This feature is not supported for FTP or MAPI.

Once enabled, a warning will appear showing that all original files subjected to CDR will be discarded. Use the config content disarm configuration method to set various CDR options, including the original-file-destination in order to retrieve the original files.

emulator {enable | disable}

Enable (by default) or disable the virus emulator.

executables {default | virus}

Note: This entry is only available when configuring IMAP, POP3, SMTP, and MAPI.

Set how this profile treats executable files sent with this protocol. Select from the following options:

  • default: Perform standard antivirus scanning (set by default).
  • virus: Treat executable files as viruses.

options {scan | avmonitor | quarantine}

Set an action to apply to traffic using this protocol. Select from the following options:

  • scan: Scan files transferred using this protocol for viruses.
  • avmonitor: Log detected viruses, but allow them through the firewall without modification.
  • quarantine: Quarantine files that contain viruses. This feature is available for FortiGates with a hard disk or those connected to a FortiAnalyzer.

config nac-quar

Configure the quarantine settings for this profile.

expiry <duration>

Note: This entry is only available when infected is set to quar-src-ip.

Set the duration of the quarantine in the days, hours, minutes format <###d##h##m>. The default is 5 minutes.

infected {none | quar-src-ip}

Set which infected hosts are added to the banned user list. Select from the following options:

  • none: No hosts are banned (set by default).
  • quar-src-ip: All traffic from the source IP is banned.

log {enable | disable}

Enable or disable (by default) logging for antivirus quarantines.

config content disarm

Use this configuration method to set AntiVirus CDR settings, including an original file destination for files to be sent to (if not discarded), and enable or disable stripping of various content such as hyperlinks and embedded objects in various document types.