FortiGuard outbreak prevention for antivirus
FortiGuard outbreak prevention allows the FortiGate antivirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard. The hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other third-party websites and services.
This feature provides the mechanism for antivirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.
The concept of FortiGuard outbreak prevention is to detect zero-day malware in a collaborative approach.
Support and limitations
- FortiGuard outbreak prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
- FortiGuard outbreak prevention does not support AV in quick scan mode.
- FortiGate must be registered with a valid FortiGuard outbreak prevention license before this feature can be used.
Network topology example
Configuring the feature
In order for antivirus to work with an external block list, you must register the FortiGate with a FortiGuard outbreak prevention license and enable FortiGuard outbreak prevention in the antivirus profile.
To obtain/renew a FortiGuard antivirus license:
- See the following link for instructions on how to purchase or renew a FortiGuard outbreak prevention license:
https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0
- Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.
To enable FortiGuard outbreak prevention in the antivirus profile:
- Go to Security Profiles > AntiVirus.
- Edit an antivirus profile, or create a new one.
- Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
- Click Apply.
Diagnostics and debugging
- Check if FortiGate has outbreak prevention license:
# diagnose debug rating Locale : english Service : Web-filter Status : Enable License : Contract Service : Antispam Status : Disable Service : Virus Outbreak Prevention Status : Enable License : Contract -=- Server List (Tue Feb 19 16:36:15 2019) -=- IP Weight RTT Flags TZ Packets Curr Lost Total Lost Updated Time 192.168.100.185 -218 2 DI -8 113 0 0 Tue Feb 19 16:35:55 2019
- Scanunit daemon showing outbreak prevention verdict:
# diagnose debug application scanunit -1 Debug messages will be on for 30 minutes. # diagnose debug enable # su 4739 job 1 open su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0 su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0 su 4739 job 1 request info: su 4739 job 1 client 10.1.100.11:39412 server 172.16.200.44:80 su 4739 job 1 object_name 'zhvo_test.com' su 4739 file-typing NOT WANTED options 0x0 file_filter no su 4739 enable databases 0b (core mmdb extended) su 4739 job 1 begin http scan su 4739 scan file 'zhvo_test.com' bytes 68 su 4739 job 1 outbreak-prevention scan, level 0, filename 'zhvo_test.com' su 4739 scan result 0 su 4739 job 1 end http scan su 4739 job 1 inc pending tasks (1) su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0) su 4739 job 1 suspend su 4739 outbreak-prevention recv error su 4739 ftgd avquery id 0 status 1 su 4739 job 1 outbreak-prevention infected entryid=0 su 4739 report AVQUERY infection priority 1 su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0 su 4739 job 1 dec pending tasks 0 su 4739 job 1 send result su 4739 job 1 close su 4739 outbreak-prevention recv error