CIFS support
File filtering and antivirus scanning for proxy-based inspection on Common Internet File System (CIFS) traffic is supported.
File filtering for CIFS is performed by inspecting the first 4 KB of the file to identify the file's magic number. If a match occurs, CIFS file filtering prevents the CIFS command that contains that file from running.
The CIFS security profile handles the configuration of file filtering on CIFS. The antivirus profile handles the antivirus configuration for CIFS scanning.
For a CIFS profile to be available for assignment in a policy, the policy must use proxy inspection mode. See Proxy mode inspection for details.
The following are not supported by CIFS scanning in proxy inspection mode:
- File types and infections within archive files cannot be detected.
- Oversized files cannot be detected.
- Special condition archive files (encrypted, corrupted, mailbomb, and so on) marked by the antivirus engine are blocked automatically.
Supported file types
File filter supports the following file types:
|
File Type Name |
Description |
|---|---|
|
7z |
Match 7-zip files |
|
arj |
Match arj compressed files |
|
cab |
Match Windows cab files |
|
lzh |
Match lzh compressed files |
|
rar |
Match rar archives |
|
tar |
Match tar files |
|
zip |
Match zip files |
|
bzip |
Match bzip files |
|
gzip |
Match gzip files |
|
bzip2 |
Match bzip2 files |
|
xz |
Match xz files |
|
bat |
Match Windows batch files |
|
msc |
Match msc files |
|
uue |
Match uue files |
|
mime |
Match mime files |
|
base64 |
Match base64 files |
|
binhex |
Match binhex files |
|
bin |
Match bin files |
|
elf |
Match elf files |
|
exe |
Match Windows executable files |
|
hta |
Match hta files |
|
html |
Match html files |
|
jad |
Match jad files |
|
class |
Match class files |
|
cod |
Match cod files |
|
javascript |
Match javascript files |
|
msoffice |
Match MS-Office files. For example, doc, xls, ppt, and so on. |
|
msofficex |
Match MS-Office XML files. For example, docx, xlsx, pptx, and so on. |
|
fsg |
Match fsg files |
|
upx |
Match upx files |
|
petite |
Match petite files |
|
aspack |
Match aspack files |
|
prc |
Match prc files |
|
sis |
Match sis files |
|
hlp |
Match Windows help files |
|
activemime |
Match activemime files |
|
jpeg |
Match jpeg files |
|
gif |
Match gif files |
|
tiff |
Match tiff files |
|
png |
Match png files |
|
bmp |
Match bmp files |
|
unknown |
Match unknown files |
|
mpeg |
Match mpeg files |
|
mov |
Match mov files |
|
mp3 |
Match mp3 files |
|
wma |
Match wma files |
|
wav |
Match wav files |
|
|
Match pdf files |
|
avi |
Match avi files |
|
rm |
Match rm files |
|
torrent |
Match torrent files |
|
msi |
Match Windows Installer msi bzip files |
|
mach-o |
Match Mach object files |
|
dmg |
Match Apple disk image files |
|
.net |
Match .NET files |
|
xar |
Match xar archive files |
|
chm |
Match Windows compiled HTML help files |
|
iso |
Match ISO archive files |
|
crx |
Match Chrome extension files |
Configure file-type filtering and antivirus scanning on CIFS traffic
To configure file-type filtering and antivirus scanning on CIFS traffic:
Configure a CIFS domain controller
The domain controller must be configured when CIFS traffic is encrypted, like SMB 3.0 traffic. The configuration tells the FortiGate the network location of the domain controller and the superuser credentials.
To configure the CIFS domain controller:
config cifs domain-controller
edit "DOMAIN"
set domain-name "EXAMPLE.COM"
set username "admin-super"
set password **********
set ip 172.16.201.40
next
end
Configure a CIFS profile
To create a CIFS profile, configure the server credential type and add file filter entries.
Set the CIFS server credential type
The CIFS server credential type can be none, credential-replication, or credential-keytab.
none
The CIFS profile assumes the CIFS traffic is unencrypted (used with SMB 2.0). This is the default value.
config cifs profile
edit "cifs"
set server-credential-type none
next
end
credential-replication
To decrypt CIFS traffic, FortiOS obtains the session key from the domain controller by logging in to the superuser account. The domain controller must be configured.
config cifs profile
edit "cifs"
set server-credential-type credential-replication
set domain-controller "DOMAIN"
next
end
|
Variable |
Description |
|---|---|
|
domain-controller <string> |
The previously configured domain to decrypt CIFS traffic for. |
credential-keytab
To decrypt CIFS traffic, FortiOS uses a series of keytab values. This method is used when the SMB connection is authenticated by Kerberos. Keytab entries must be configured, and are stored in FortiOS in plaintext.
config cifs profile
edit "cifs"
set server-credential-type credential-keytab
config server-keytab
edit "keytab1"
set keytab "BQIAAABFAAEAC0VYQU1QTEUuQ09NAAdleGFtcGxlAAAAAVUmAlwBABIAILdV5P6NXT8RrTvapcMJQxDYCjRQiD0BzxhwS9h0VgyM"
next
end
next
end
|
Variable |
Description |
|---|---|
|
keytab <keytab> |
Base64 encoded keytab file containing the credentials of the server. |
Configure CIFS profile file filtering
Multiple file filter entries can be added to a profile.
To configure a file filter entry in a CIFS profile:
config cifs profile
edit "cifs"
config file-filter
set status {enable | disable}
set log {enable | disable}
config entries
edit <filter>
set comment <string>
set action {log | block}
set direction {incoming | outgoing | any}
set file-type <file_type>
next
end
end
next
end
|
Variable |
Description |
|---|---|
|
status {enable | disable} |
Enable/disable file filter (default = enable). |
|
log {enable | disable} |
Enable/disable file filter logging (default = enable). |
|
comment <string> |
A brief comment describing the entry. |
|
action {log | block} |
The action to take for matched files:
|
|
direction {incoming | outgoing | any} |
Match files transmitted in the session's originating ( |
|
file-type <file_type> |
The file types to be matched (default = none). See Supported file types for details. |
Configure an antivirus profile
The antivirus profile handles the antivirus configuration for CIFS scanning.
To configure an antivirus profile:
config antivirus profile
edit "av"
...
config cifs
set options {scan avmonitor quarantine}
set archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}
set archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled}
set emulator {enable | disable}
set outbreak-prevention {disabled | files | full-archive}
end
next
end
|
Variable |
Description |
|---|---|
|
options {scan avmonitor quarantine} |
Enable/disable CIFS antivirus scanning, monitoring, and quarantine. |
|
archive-block {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled} |
Select the archive types to block:
|
| archive-log {encrypted corrupted partiallycorrupted multipart nested mailbomb fileslimit timeout unhandled} |
Select the archive types to log:
|
|
emulator {enable | disable} |
Enable/disable the virus emulator (default = enable). |
| outbreak-prevention {disabled | files | full-archive} |
Enable the virus outbreak prevention service:
|
Log examples
File-type detection events generated by CIFS profiles are logged in the utm-cifs log category. Antivirus detection over the CIFS protocol generates logs in the utm-virus category. See the FortiOS Log Message Reference for more information.
Logs generated by CIFS profile file filter:
date=2019-03-28 time=10:39:19 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794757 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33372 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="1154" filename="virus\\test.png" filtername="2" filetype="png"
date=2019-03-28 time=10:39:12 logid="1800063001" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="notice" vd="vdom1" eventtime=1553794751 msg="File was detected by file filter." direction="incoming" action="passthrough" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33370 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="81975" filename="virus\\screen.png" filtername="2" filetype="png"
date=2019-03-28 time=10:33:55 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794434 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33352 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="28432" filename="filetypes\\mpnotify.exe" filtername="3" filetype="exe"
date=2019-03-28 time=10:33:45 logid="1800063000" type="utm" subtype="cifs" eventtype="cifs-filefilter" level="warning" vd="vdom1" eventtime=1553794424 msg="File was blocked by file filter." direction="incoming" action="blocked" service="CIFS" srcip=10.1.100.11 dstip=172.16.200.44 srcport=33348 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=16 profile="cifs" filesize="96528" filename="filetypes\\winmine.exe" filtername="3" filetype="exe"
Logs generated by AV profile for infections detected over CIFS:
date=2019-04-09 time=15:19:02 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="vdom1" eventtime=1554848342519005401 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="SMB" sessionid=177 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37444 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="outbreak\\zhvo_test.com" quarskip="File-was-not-quarantined." virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" profile="av" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
date=2019-04-09 time=15:18:59 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="vdom1" eventtime=1554848339909808987 msg="File is infected." action="blocked" service="SMB" sessionid=174 srcip=10.1.100.11 dstip=172.16.200.44 srcport=37442 dstport=445 srcintf="wan2" srcintfrole="wan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="sample\\eicar.com" quarskip="File-was-not-quarantined." virus="EICAR_TEST_FILE" dtype="Virus" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 profile="av" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"