Fortinet black logo

Handbook

Techniques

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:377958
Download PDF

Techniques

The FortiGate applies the following antivirus techniques to scan traffic for threats.

Virus scan

If the file passes the file pattern scan, the FortiGate unit applies a virus scan to it. The virus definitions are kept up-to-date through the FortiGuard Distribution Network (FDN).

Grayware protection

If the file passes the virus scan, it can be checked for grayware. Grayware scanning is an optional function and must be enabled in the CLI if it is to be scanned for along with other malware. Grayware cannot be scanned for on its own. While done as a separate step, antivirus scanning must be enabled as well.

To enable grayware detection enter the following in the CLI:

config antivirus settings

set grayware enable

end

To disable grayware detection enter the following in the CLI:

config antivirus settings

set grayware disable

end

Grayware signatures are kept up to date in the same manner as the antivirus definitions.

Heuristics

After an incoming file has passed the grayware scan, it is subjected to the heuristics scan. The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect virus-like behavior or known virus indicators. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results. You configure heuristics from the CLI.

To set heuristics, enter the following in the CLI:

config antivirus heuristic

set mode {pass | block |disable}

end

  • block” enables heuristics and any files determined to be malware are blocked from entering the network.
  • pass” enables heuristics but any files determined to be malware are still allowed to pass through to the recipient.
  • disable” turns off heuristics.
  • FortiGuard AntiVirus

    The FortiGuard Antivirus services are included in the regular FortiGuard subscription and include automatic updates of antivirus engines and definitions as well as a DNS blocklist (DNSBL) through the FortiGuard Distribution Network (FDN).

    To ensure that your system receives the most protection available, all virus definitions and signatures are updated regularly through the FortiGuard AntiVirus services. To configure this feature, go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates. From here you can schedule updates to occur on a consistent weekly, daily, or even hourly basis.

    note icon

    Updating antivirus definitions can cause a short disruption of traffic being scanned while the FortiGate unit applies the new signature database. Schedule updates for time periods when traffic is light to minimize disruption.

    Botnet protection

    A botnet is a network of Internet connected computers that have been covertly usurped to forward transmissions to other computers on the Internet on behalf of a “master”. These transmissions can be minimally damaging, such as spam, or they can critically impact a target as when used to launch a Distributed Denial of Service attack.

    Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based.

    The latest botnet database is available from FortiGuard. To see the version of the database and display its contents, go to System > FortiGuard > AntiVirus > and you will see data for Botnet IPs and Botnet Domains. You can also block, monitor, or allow outgoing connections to botnet sites for each FortiGate interface.

    Quarantine / Source IP ban

    As of FortiOS 5.2, quarantine was a place where traffic content was held in storage where it couldn’t interact with the network or system. This was removed, but the term quarantine was kept to describe keeping selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.

    You quarantine a source address through the GUI. Go to FortiView > Sources. Right-click on the source address you wish to quarantine and select Quarantine Source Address. You can set the duration of the quarantine in days, hours, minutes, or seconds. A User Quarantine ban can be removed in Monitor > User Quarantine Monitor.

    To configure the AntiVirus security profile to add the source IP address of an infected file to the quarantine or list of banned source IP addresses in the CLI:

    config antivirus profile

    edit <name of profile>

    config nac-quar

    set infected quar-src-ip

    set expiry 5m

    end

    If the quar-src-ip action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP adddress will be blocked. In the CLI the option is called expiry and the duration is in the format <###d##h##m>. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.

    Techniques

    The FortiGate applies the following antivirus techniques to scan traffic for threats.

    Virus scan

    If the file passes the file pattern scan, the FortiGate unit applies a virus scan to it. The virus definitions are kept up-to-date through the FortiGuard Distribution Network (FDN).

    Grayware protection

    If the file passes the virus scan, it can be checked for grayware. Grayware scanning is an optional function and must be enabled in the CLI if it is to be scanned for along with other malware. Grayware cannot be scanned for on its own. While done as a separate step, antivirus scanning must be enabled as well.

    To enable grayware detection enter the following in the CLI:

    config antivirus settings

    set grayware enable

    end

    To disable grayware detection enter the following in the CLI:

    config antivirus settings

    set grayware disable

    end

    Grayware signatures are kept up to date in the same manner as the antivirus definitions.

    Heuristics

    After an incoming file has passed the grayware scan, it is subjected to the heuristics scan. The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect virus-like behavior or known virus indicators. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results. You configure heuristics from the CLI.

    To set heuristics, enter the following in the CLI:

    config antivirus heuristic

    set mode {pass | block |disable}

    end

  • block” enables heuristics and any files determined to be malware are blocked from entering the network.
  • pass” enables heuristics but any files determined to be malware are still allowed to pass through to the recipient.
  • disable” turns off heuristics.
  • FortiGuard AntiVirus

    The FortiGuard Antivirus services are included in the regular FortiGuard subscription and include automatic updates of antivirus engines and definitions as well as a DNS blocklist (DNSBL) through the FortiGuard Distribution Network (FDN).

    To ensure that your system receives the most protection available, all virus definitions and signatures are updated regularly through the FortiGuard AntiVirus services. To configure this feature, go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates. From here you can schedule updates to occur on a consistent weekly, daily, or even hourly basis.

    note icon

    Updating antivirus definitions can cause a short disruption of traffic being scanned while the FortiGate unit applies the new signature database. Schedule updates for time periods when traffic is light to minimize disruption.

    Botnet protection

    A botnet is a network of Internet connected computers that have been covertly usurped to forward transmissions to other computers on the Internet on behalf of a “master”. These transmissions can be minimally damaging, such as spam, or they can critically impact a target as when used to launch a Distributed Denial of Service attack.

    Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based.

    The latest botnet database is available from FortiGuard. To see the version of the database and display its contents, go to System > FortiGuard > AntiVirus > and you will see data for Botnet IPs and Botnet Domains. You can also block, monitor, or allow outgoing connections to botnet sites for each FortiGate interface.

    Quarantine / Source IP ban

    As of FortiOS 5.2, quarantine was a place where traffic content was held in storage where it couldn’t interact with the network or system. This was removed, but the term quarantine was kept to describe keeping selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.

    You quarantine a source address through the GUI. Go to FortiView > Sources. Right-click on the source address you wish to quarantine and select Quarantine Source Address. You can set the duration of the quarantine in days, hours, minutes, or seconds. A User Quarantine ban can be removed in Monitor > User Quarantine Monitor.

    To configure the AntiVirus security profile to add the source IP address of an infected file to the quarantine or list of banned source IP addresses in the CLI:

    config antivirus profile

    edit <name of profile>

    config nac-quar

    set infected quar-src-ip

    set expiry 5m

    end

    If the quar-src-ip action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP adddress will be blocked. In the CLI the option is called expiry and the duration is in the format <###d##h##m>. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.