Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

CIFS Support

This version supports file-type filtering and antivirus scanning for proxy-based inspection on CIFS traffic.

File filter for CIFS is performed by inspecting the first 4 kB of the file to identify the file's magic number. If a match occurs, CIFS file-filtering prevents the CIFS command that contains that file from running.

This feature also introduces a new security profile called cifs-profile which handles the configuration for file-type filtering on CIFS.

The antivirus profile still handles the antivirus configuration for CIFS scanning.

Requirements

The firewall policy must be set to Proxy inspection mode for CIFS profile to be available for assignment to the policy.

The following are not supported by CIFS scanning in proxy inspection mode:

  • File types and infections within archive files cannot be detected.
  • Oversized files cannot be detected.
  • Special condition archive files (encrypted, corrupted, mailbomb, etc.) marked by AV engine are blocked automatically.
  • IPv6 CIFS traffic is not supported.

Sample configuration

You must use CLI to configure this feature.

CIFS domain controller configuration

The domain controller configuration is necessary when CIFS traffic is encrypted, such as used by SMB 3.0.

This configuration tells the FortiGate the location of the domain controller in the network and the superuser credentials.

This is all needed to decrypt SMB 3.0 traffic.

FGT_PROXY (vdom1) # config cifs
domain-controller    Define known domain controller servers.
profile              Configure CIFS profile.

FGT_PROXY (vdom1) # config cifs domain-controller

FGT_PROXY (domain-controller) # edit DOMAIN
new entry 'DOMAIN' added

FGT_PROXY (DOMAIN) # set ?
*domain-name    Fully qualified domain name (FQDN). E.g. 'EXAMPLE.COM'.
*username       User name to sign in with. Must have proper permissions for service.
*password       Password for specified username.
port           Port number of service. Port number 0 indicates automatic discovery.
ip             IPv4 server address.
ip6            IPv6 server address.

FGT_PROXY (DOMAIN) # show
config cifs domain-controller
    edit "DOMAIN"
        set domain-name "EXAMPLE.COM"
        set username "admin-super"
        set password ENC 1mKKNo0z95t/+9B9IisyLsSfevTNRePp6mFk+dtDdZ7r2V8CYUrXp7kcxVauWpdHYlQsrY8g2Ypo+UYDsBUxELDpfLYC7C31rCm6WD0jYiRcQ/kZhWpwB5Dl3W7Z9865r/ntVu1YCsWex/+MnnMYyzFXaNJriXuPLYKEv2fe79NpmSuvouEMvc6zgPPBbXE+28SHzA==
        set ip 172.16.201.40
    next
end

Sample profile configuration for deep CIFS inspection (for SMB 3.0)

FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # set ?
*server-credential-type    CIFS server credential type.

FGT_PROXY (cifs) # set server-credential-type ?
none                      Credential derivation not set.
credential-replication    Credential derived using Replication account on Domain Controller.
credential-keytab         Credential derived using server keytab.
No-Encryption

none is the default for CIFS profile's server-credential-type parameter. When none is set, the CIFS profile assumes the CIFS traffic is unencrypted (used with SMB 2.0).

Account-Replication

This method of decrypting CIFS traffic involves FortiOS obtaining the session key from the domain controller by logging into the superuser account.

When credential-replication is set, the parameter domain-controller becomes available and domain controller must be specified.

For an example of the domain controller entry, see the CIFS domain controller configuration section above.

FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # set server-credential-type credential-replication

FGT_PROXY (cifs) # set ?
*server-credential-type    CIFS server credential type.
*domain-controller         Domain for which to decrypt CIFS traffic.

FGT_PROXY (cifs) # set domain-controller ?
<string>    please input string value
DOMAIN  domain-controller

FGT_PROXY (cifs) # set domain-controller DOMAIN

FGT_PROXY (cifs) # show
config cifs profile
    edit "cifs"
        set server-credential-type credential-replication
        config file-filter
            config entries
            end
        end
        set domain-controller "DOMAIN"
    next
end
Keytab

This method of decrypting CIFS traffic involves FortiOS using a series of keytab values to decrypt CIFS traffic.

Use this method when the SMB connection is authenticated by Kerberos.

When credential-keytab is set, the keytab table server-keytab becomes available and keytab entries can be configured.

Keytab values are stored in the FortiOS configuration in plain text.

FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # set server-credential-type credential-keytab

FGT_PROXY (cifs) # config
file-filter      File filter.
server-keytab    Server keytab.

FGT_PROXY (cifs) # config server-keytab

FGT_PROXY (server-keytab) # edit keytab1

FGT_PROXY (keytab1) # set ?
*keytab    Base64 encoded keytab file containing credential of the server.

FGT_PROXY (keytab1) # set keytab BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM

FGT_PROXY (keytab1) # end

FGT_PROXY (cifs) # show
config cifs profile
    edit "cifs"
        set server-credential-type credential-keytab
        config file-filter
        end
        config server-keytab
            edit "keytab1"
                set keytab "BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM"
            next
        end
    next
end

CIFS profile file filtering

This filter has two configurable parameters:

  • status - Enables or disables the file filter. Default is enable.
  • log - Enables or disables CIFS event logs when a file is detected. Default is enable.
FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # config file-filter

FGT_PROXY (file-filter) # set ?
status    Enable/disable file filter.
log       Enable/disable file filter logging.

FGT_PROXY (file-filter) # set status ?
enable     Enable file filter.
disable    Disable file filter.

FGT_PROXY (file-filter) # set log ?
enable     Enable file filter logging.
disable    Disable file filter logging.

CIFS profile file filter entries

The configurable parameters for each entry are:

  • action - Blocks or monitors the detected file type. Default is log.
  • direction - Sets the direction of traffic which the filter should be applied to. Default value is any.
  • file-type - The file type to be detected. Default is blank (unset).
FGT_PROXY (file-filter) # config entries

FGT_PROXY (entries) # edit 1

FGT_PROXY (1) # set ?
comment      Comment.
action       Action taken for matched file.
direction    Match files transmitted in the session's originating or reply direction.
file-type    Select file type.

FGT_PROXY (1) # set action ?
log      Allow the content and write a log message.
block    Block the content and write a log message.

FGT_PROXY (1) # set direction ?
incoming    Match files transmitted in the session's originating direction.
outgoing    Match files transmitted in the session's reply direction.
any         Match files transmitted in the session's originating and reply direction.

FGT_PROXY (1) # set file-type ?
name            File type name.
7z              Match 7-zip files.
arj             Match arj compressed files.
cab             Match Windows cab files.
lzh             Match lzh compressed files.
rar             Match rar archives.
tar             Match tar files.
zip             Match zip files.
bzip            Match bzip files.
gzip            Match gzip files.
bzip2           Match bzip2 files.
xz              Match xz files.
bat             Match Windows batch files.
msc             Match msc files.
uue             Match uue files.
mime            Match mime files.
base64          Match base64 files.
binhex          Match binhex files.
bin             Match bin files.
elf             Match elf files.
exe             Match Windows executable files.
hta             Match hta files.
html            Match html files.
jad             Match jad files.
class           Match class files.
cod             Match cod files.
javascript      Match javascript files.
msoffice        Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex       Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
fsg             Match fsg files.
upx             Match upx files.
petite          Match petite files.
aspack          Match aspack files.
prc             Match prc files.
sis             Match sis files.
hlp             Match Windows help files.
activemime      Match activemime files.
jpeg            Match jpeg files.
gif             Match gif files.
tiff            Match tiff files.
png             Match png files.
bmp             Match bmp files.
ignored         Match ignored files.
unknown         Match unknown files.
mpeg            Match mpeg files.
mov             Match mov files.
mp3             Match mp3 files.
wma             Match wma files.
wav             Match wav files.
pdf             Match Acrobat pdf files.
avi             Match avi files.
rm              Match rm files.
torrent         Match torrent files.
msi             Match Windows Installer msi files.
mach-o          Match Mach object files.
dmg             Match Apple disk image files.
.net            Match .NET files.
xar             Match xar archive files.
chm             Match Windows compiled HTML help files.
iso             Match ISO archive files.
crx             Match Chrome extension files.

Change to antivirus profile

This version has a minor change to the antivirus profile.

The previous config smb is now changed to config cifs.

FGT_PROXY (av) # show full-configuration

config antivirus profile
    edit "av"
        set comment ''
        set replacemsg-group ''
        set mobile-malware-db enable
...
        config cifs
            set options scan quarantine
            unset archive-block
            unset archive-log
            set emulator enable
            set outbreak-prevention full-archive
        end
    next
end

Logs & Report

This feature includes a new UTM log category type: utm-cifs which logs the file-type detection events generated by cifs-profile.

Antivirus detection over CIFS protocol still generate logs under the utm-virus category.

FGT_PROXY (vdom1) # execute log filter category
Available categories:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: utm-anomaly
 8: utm-voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
Logs generated by CIFS profile file filter:
date=2019-03-28 time=10:39:19 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794757 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33372 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="1154" filename="virus\\test.jpg" filtername="2" filetype="png"

date=2019-03-28 time=10:39:12 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794751 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33370 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="81975" filename="virus\\screen.jpg" filtername="2" filetype="png"

date=2019-03-28 time=10:33:55 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794434 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33352 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="28432" filename="filetypes\\mpnotify.exe" filtername="3" filetype="exe"

date=2019-03-28 time=10:33:45 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794424 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33348 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="96528" filename="filetypes\\winmine.exe" filtername="3" filetype="exe"
Logs generated by AV profile for infections detected over CIFS:
date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

date=2019-04-09 time=15:18:59 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1554848339909808987 msg="File is infected." action="blocked" service="SMB" sessionid=174 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37442 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="sample\\eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

CIFS Support

This version supports file-type filtering and antivirus scanning for proxy-based inspection on CIFS traffic.

File filter for CIFS is performed by inspecting the first 4 kB of the file to identify the file's magic number. If a match occurs, CIFS file-filtering prevents the CIFS command that contains that file from running.

This feature also introduces a new security profile called cifs-profile which handles the configuration for file-type filtering on CIFS.

The antivirus profile still handles the antivirus configuration for CIFS scanning.

Requirements

The firewall policy must be set to Proxy inspection mode for CIFS profile to be available for assignment to the policy.

The following are not supported by CIFS scanning in proxy inspection mode:

  • File types and infections within archive files cannot be detected.
  • Oversized files cannot be detected.
  • Special condition archive files (encrypted, corrupted, mailbomb, etc.) marked by AV engine are blocked automatically.
  • IPv6 CIFS traffic is not supported.

Sample configuration

You must use CLI to configure this feature.

CIFS domain controller configuration

The domain controller configuration is necessary when CIFS traffic is encrypted, such as used by SMB 3.0.

This configuration tells the FortiGate the location of the domain controller in the network and the superuser credentials.

This is all needed to decrypt SMB 3.0 traffic.

FGT_PROXY (vdom1) # config cifs
domain-controller    Define known domain controller servers.
profile              Configure CIFS profile.

FGT_PROXY (vdom1) # config cifs domain-controller

FGT_PROXY (domain-controller) # edit DOMAIN
new entry 'DOMAIN' added

FGT_PROXY (DOMAIN) # set ?
*domain-name    Fully qualified domain name (FQDN). E.g. 'EXAMPLE.COM'.
*username       User name to sign in with. Must have proper permissions for service.
*password       Password for specified username.
port           Port number of service. Port number 0 indicates automatic discovery.
ip             IPv4 server address.
ip6            IPv6 server address.

FGT_PROXY (DOMAIN) # show
config cifs domain-controller
    edit "DOMAIN"
        set domain-name "EXAMPLE.COM"
        set username "admin-super"
        set password ENC 1mKKNo0z95t/+9B9IisyLsSfevTNRePp6mFk+dtDdZ7r2V8CYUrXp7kcxVauWpdHYlQsrY8g2Ypo+UYDsBUxELDpfLYC7C31rCm6WD0jYiRcQ/kZhWpwB5Dl3W7Z9865r/ntVu1YCsWex/+MnnMYyzFXaNJriXuPLYKEv2fe79NpmSuvouEMvc6zgPPBbXE+28SHzA==
        set ip 172.16.201.40
    next
end

Sample profile configuration for deep CIFS inspection (for SMB 3.0)

FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # set ?
*server-credential-type    CIFS server credential type.

FGT_PROXY (cifs) # set server-credential-type ?
none                      Credential derivation not set.
credential-replication    Credential derived using Replication account on Domain Controller.
credential-keytab         Credential derived using server keytab.
No-Encryption

none is the default for CIFS profile's server-credential-type parameter. When none is set, the CIFS profile assumes the CIFS traffic is unencrypted (used with SMB 2.0).

Account-Replication

This method of decrypting CIFS traffic involves FortiOS obtaining the session key from the domain controller by logging into the superuser account.

When credential-replication is set, the parameter domain-controller becomes available and domain controller must be specified.

For an example of the domain controller entry, see the CIFS domain controller configuration section above.

FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # set server-credential-type credential-replication

FGT_PROXY (cifs) # set ?
*server-credential-type    CIFS server credential type.
*domain-controller         Domain for which to decrypt CIFS traffic.

FGT_PROXY (cifs) # set domain-controller ?
<string>    please input string value
DOMAIN  domain-controller

FGT_PROXY (cifs) # set domain-controller DOMAIN

FGT_PROXY (cifs) # show
config cifs profile
    edit "cifs"
        set server-credential-type credential-replication
        config file-filter
            config entries
            end
        end
        set domain-controller "DOMAIN"
    next
end
Keytab

This method of decrypting CIFS traffic involves FortiOS using a series of keytab values to decrypt CIFS traffic.

Use this method when the SMB connection is authenticated by Kerberos.

When credential-keytab is set, the keytab table server-keytab becomes available and keytab entries can be configured.

Keytab values are stored in the FortiOS configuration in plain text.

FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # set server-credential-type credential-keytab

FGT_PROXY (cifs) # config
file-filter      File filter.
server-keytab    Server keytab.

FGT_PROXY (cifs) # config server-keytab

FGT_PROXY (server-keytab) # edit keytab1

FGT_PROXY (keytab1) # set ?
*keytab    Base64 encoded keytab file containing credential of the server.

FGT_PROXY (keytab1) # set keytab BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM

FGT_PROXY (keytab1) # end

FGT_PROXY (cifs) # show
config cifs profile
    edit "cifs"
        set server-credential-type credential-keytab
        config file-filter
        end
        config server-keytab
            edit "keytab1"
                set keytab "BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM"
            next
        end
    next
end

CIFS profile file filtering

This filter has two configurable parameters:

  • status - Enables or disables the file filter. Default is enable.
  • log - Enables or disables CIFS event logs when a file is detected. Default is enable.
FGT_PROXY (vdom1) # config cifs profile

FGT_PROXY (profile) # edit cifs

FGT_PROXY (cifs) # config file-filter

FGT_PROXY (file-filter) # set ?
status    Enable/disable file filter.
log       Enable/disable file filter logging.

FGT_PROXY (file-filter) # set status ?
enable     Enable file filter.
disable    Disable file filter.

FGT_PROXY (file-filter) # set log ?
enable     Enable file filter logging.
disable    Disable file filter logging.

CIFS profile file filter entries

The configurable parameters for each entry are:

  • action - Blocks or monitors the detected file type. Default is log.
  • direction - Sets the direction of traffic which the filter should be applied to. Default value is any.
  • file-type - The file type to be detected. Default is blank (unset).
FGT_PROXY (file-filter) # config entries

FGT_PROXY (entries) # edit 1

FGT_PROXY (1) # set ?
comment      Comment.
action       Action taken for matched file.
direction    Match files transmitted in the session's originating or reply direction.
file-type    Select file type.

FGT_PROXY (1) # set action ?
log      Allow the content and write a log message.
block    Block the content and write a log message.

FGT_PROXY (1) # set direction ?
incoming    Match files transmitted in the session's originating direction.
outgoing    Match files transmitted in the session's reply direction.
any         Match files transmitted in the session's originating and reply direction.

FGT_PROXY (1) # set file-type ?
name            File type name.
7z              Match 7-zip files.
arj             Match arj compressed files.
cab             Match Windows cab files.
lzh             Match lzh compressed files.
rar             Match rar archives.
tar             Match tar files.
zip             Match zip files.
bzip            Match bzip files.
gzip            Match gzip files.
bzip2           Match bzip2 files.
xz              Match xz files.
bat             Match Windows batch files.
msc             Match msc files.
uue             Match uue files.
mime            Match mime files.
base64          Match base64 files.
binhex          Match binhex files.
bin             Match bin files.
elf             Match elf files.
exe             Match Windows executable files.
hta             Match hta files.
html            Match html files.
jad             Match jad files.
class           Match class files.
cod             Match cod files.
javascript      Match javascript files.
msoffice        Match MS-Office files. For example, doc, xls, ppt, and so on.
msofficex       Match MS-Office XML files. For example, docx, xlsx, pptx, and so on.
fsg             Match fsg files.
upx             Match upx files.
petite          Match petite files.
aspack          Match aspack files.
prc             Match prc files.
sis             Match sis files.
hlp             Match Windows help files.
activemime      Match activemime files.
jpeg            Match jpeg files.
gif             Match gif files.
tiff            Match tiff files.
png             Match png files.
bmp             Match bmp files.
ignored         Match ignored files.
unknown         Match unknown files.
mpeg            Match mpeg files.
mov             Match mov files.
mp3             Match mp3 files.
wma             Match wma files.
wav             Match wav files.
pdf             Match Acrobat pdf files.
avi             Match avi files.
rm              Match rm files.
torrent         Match torrent files.
msi             Match Windows Installer msi files.
mach-o          Match Mach object files.
dmg             Match Apple disk image files.
.net            Match .NET files.
xar             Match xar archive files.
chm             Match Windows compiled HTML help files.
iso             Match ISO archive files.
crx             Match Chrome extension files.

Change to antivirus profile

This version has a minor change to the antivirus profile.

The previous config smb is now changed to config cifs.

FGT_PROXY (av) # show full-configuration

config antivirus profile
    edit "av"
        set comment ''
        set replacemsg-group ''
        set mobile-malware-db enable
...
        config cifs
            set options scan quarantine
            unset archive-block
            unset archive-log
            set emulator enable
            set outbreak-prevention full-archive
        end
    next
end

Logs & Report

This feature includes a new UTM log category type: utm-cifs which logs the file-type detection events generated by cifs-profile.

Antivirus detection over CIFS protocol still generate logs under the utm-virus category.

FGT_PROXY (vdom1) # execute log filter category
Available categories:
 0: traffic
 1: event
 2: utm-virus
 3: utm-webfilter
 4: utm-ips
 5: utm-emailfilter
 7: utm-anomaly
 8: utm-voip
 9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
18: utm-cifs
Logs generated by CIFS profile file filter:
date=2019-03-28 time=10:39:19 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794757 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33372 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="1154" filename="virus\\test.jpg" filtername="2" filetype="png"

date=2019-03-28 time=10:39:12 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794751 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33370 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="81975" filename="virus\\screen.jpg" filtername="2" filetype="png"

date=2019-03-28 time=10:33:55 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794434 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33352 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="28432" filename="filetypes\\mpnotify.exe" filtername="3" filetype="exe"

date=2019-03-28 time=10:33:45 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794424 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33348 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="96528" filename="filetypes\\winmine.exe" filtername="3" filetype="exe"
Logs generated by AV profile for infections detected over CIFS:
date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

date=2019-04-09 time=15:18:59 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1554848339909808987 msg="File is infected." action="blocked" service="SMB" sessionid=174 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37442 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="sample\\eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"