Fortinet black logo

Cookbook

FortiGuard outbreak prevention for antivirus

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:889364
Download PDF

FortiGuard outbreak prevention for antivirus

FortiGuard outbreak prevention allows the FortiGate antivirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard. The hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other third-party websites and services.

This feature provides the mechanism for antivirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.

The concept of FortiGuard outbreak prevention is to detect zero-day malware in a collaborative approach.

Support and limitations

  • FortiGuard outbreak prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
  • FortiGuard outbreak prevention does not support AV in quick scan mode.
  • FortiGate must be registered with a valid FortiGuard outbreak prevention license before this feature can be used.

Network topology example

Configuring the feature

In order for antivirus to work with an external block list, you must register the FortiGate with a FortiGuard outbreak prevention license and enable FortiGuard outbreak prevention in the antivirus profile.

To obtain/renew a FortiGuard antivirus license:
  1. See the following link for instructions on how to purchase or renew a FortiGuard outbreak prevention license:

    https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0

  2. Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.


To enable FortiGuard outbreak prevention in the antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Edit an antivirus profile, or create a new one.
  3. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
  4. Click Apply.

Diagnostics and debugging

  • Check if FortiGate has outbreak prevention license:
    # diagnose debug rating
    Locale       : english
    
    Service      : Web-filter
    Status       : Enable
    License      : Contract
    
    Service      : Antispam
    Status       : Disable
    
    Service      : Virus Outbreak Prevention
    Status       : Enable
    License      : Contract
    
    -=- Server List (Tue Feb 19 16:36:15 2019) -=-
    
    IP                     Weight    RTT Flags  TZ    Packets  Curr Lost Total Lost             Updated Time
    192.168.100.185          -218      2 DI     -8        113          0          0 Tue Feb 19 16:35:55 2019
  • Scanunit daemon showing outbreak prevention verdict:
    # diagnose debug application scanunit -1
    Debug messages will be on for 30 minutes.
    
    # diagnose debug enable
    
    # su 4739 job 1 open
    su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0
    su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0
    su 4739 job 1 request info:
    su 4739 job 1   client 10.1.100.11:39412 server 172.16.200.44:80
    su 4739 job 1   object_name 'zhvo_test.com'
    su 4739 file-typing NOT WANTED options 0x0 file_filter no
    su 4739 enable databases 0b (core mmdb extended)
    su 4739 job 1 begin http scan
    su 4739 scan file 'zhvo_test.com' bytes 68
    su 4739 job 1 outbreak-prevention scan, level 0, filename 'zhvo_test.com'
    su 4739 scan result 0
    su 4739 job 1 end http scan
    su 4739 job 1 inc pending tasks (1)
    su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0)
    su 4739 job 1 suspend
    su 4739 outbreak-prevention recv error
    su 4739 ftgd avquery id 0 status 1
    su 4739 job 1 outbreak-prevention infected entryid=0
    su 4739 report AVQUERY infection priority 1
    su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0
    su 4739 job 1 dec pending tasks 0
    su 4739 job 1 send result
    su 4739 job 1 close
    su 4739 outbreak-prevention recv error

FortiGuard outbreak prevention for antivirus

FortiGuard outbreak prevention allows the FortiGate antivirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard. The hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other third-party websites and services.

This feature provides the mechanism for antivirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.

The concept of FortiGuard outbreak prevention is to detect zero-day malware in a collaborative approach.

Support and limitations

  • FortiGuard outbreak prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
  • FortiGuard outbreak prevention does not support AV in quick scan mode.
  • FortiGate must be registered with a valid FortiGuard outbreak prevention license before this feature can be used.

Network topology example

Configuring the feature

In order for antivirus to work with an external block list, you must register the FortiGate with a FortiGuard outbreak prevention license and enable FortiGuard outbreak prevention in the antivirus profile.

To obtain/renew a FortiGuard antivirus license:
  1. See the following link for instructions on how to purchase or renew a FortiGuard outbreak prevention license:

    https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0

  2. Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.


To enable FortiGuard outbreak prevention in the antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Edit an antivirus profile, or create a new one.
  3. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
  4. Click Apply.

Diagnostics and debugging

  • Check if FortiGate has outbreak prevention license:
    # diagnose debug rating
    Locale       : english
    
    Service      : Web-filter
    Status       : Enable
    License      : Contract
    
    Service      : Antispam
    Status       : Disable
    
    Service      : Virus Outbreak Prevention
    Status       : Enable
    License      : Contract
    
    -=- Server List (Tue Feb 19 16:36:15 2019) -=-
    
    IP                     Weight    RTT Flags  TZ    Packets  Curr Lost Total Lost             Updated Time
    192.168.100.185          -218      2 DI     -8        113          0          0 Tue Feb 19 16:35:55 2019
  • Scanunit daemon showing outbreak prevention verdict:
    # diagnose debug application scanunit -1
    Debug messages will be on for 30 minutes.
    
    # diagnose debug enable
    
    # su 4739 job 1 open
    su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0
    su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0
    su 4739 job 1 request info:
    su 4739 job 1   client 10.1.100.11:39412 server 172.16.200.44:80
    su 4739 job 1   object_name 'zhvo_test.com'
    su 4739 file-typing NOT WANTED options 0x0 file_filter no
    su 4739 enable databases 0b (core mmdb extended)
    su 4739 job 1 begin http scan
    su 4739 scan file 'zhvo_test.com' bytes 68
    su 4739 job 1 outbreak-prevention scan, level 0, filename 'zhvo_test.com'
    su 4739 scan result 0
    su 4739 job 1 end http scan
    su 4739 job 1 inc pending tasks (1)
    su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0)
    su 4739 job 1 suspend
    su 4739 outbreak-prevention recv error
    su 4739 ftgd avquery id 0 status 1
    su 4739 job 1 outbreak-prevention infected entryid=0
    su 4739 report AVQUERY infection priority 1
    su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0
    su 4739 job 1 dec pending tasks 0
    su 4739 job 1 send result
    su 4739 job 1 close
    su 4739 outbreak-prevention recv error