Fortinet black logo

Cookbook

Inspection mode differences for antivirus

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:100953
Download PDF

Inspection mode differences for antivirus

This section identifies the behavioral differences between antivirus operating in flow and proxy inspection.

Feature comparison between antivirus inspection modes

The following table indicates which antivirus features are supported by their designated scan modes.

Part1 Replacement Message Content Disarm Mobile Malware Virus Outbreak Sandbox Inspection NAC Quarantine
Proxy Yes Yes Yes Yes Yes Yes
Flow default mode Yes* No No No Yes Yes
Flow legacy mode Yes* No Yes Yes Yes Yes

*IPS engine caches the URL and a replacement message will be presented after the second attempt.

Part 2 Archive Blocking Emulator Client Comforting Infection Quarantine Heuristics Treat EXE as Virus
Proxy Yes Yes Yes Yes (1) Yes Yes (2)
Flow default mode No No No No No No
Flow legacy mode Yes Yes No Yes (1) Yes Yes (2)
  1. Only available on FortiGate models with HDD, or when FortiAnalyzer or FortiGate Cloud is connected and enabled.
  2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.

Protocol comparison between antivirus inspection modes

The following table indicates which protocols can be inspected by the designated antivirus scan modes.

HTTP FTP IMAP POP3 SMTP NNTP

MAPI

CIFS

Proxy Yes Yes Yes Yes Yes Yes

Yes

Yes*

Flow Yes Yes Yes Yes Yes No

No

Yes

* Proxy mode antivirus inspection on CIFS protocol has the following limitations:

  • Cannot detect infections within archive files
  • Cannot detect oversized files
  • Will block special archive types by default
  • IPv6 is not supported

Other antivirus differences between inspection modes

Flow default mode uses a hybrid scanning approach: it may use a pre-filtering database for malware detection in some circumstances as opposed to the full AV signature database in others. The scan method is determined by the AV engine algorithm that is based on the type of file being scanned. When a full AV scan is needed, the file is forwarded from the IPS engine to the scanunit daemon for processing.

Flow and proxy legacy modes use the full AV signature database, and the scanunit daemon scans the traffic.

Proxy mode uses pre-scanning and stream-based scanning for HTTP traffic. In default mode, the WAD daemon uses a stream-based approach, while legacy mode disables this stream-based approach.

Stream-based scanning provides the following AV improvements:

  • Archive files (ZIP, GZIP, BZIP2, TAR, ISO) that exceed the oversize limit are uncompressed and scanned for infections.
  • The contents of large archive files are scanned without having to buffer the entire file.
  • Small files are scanned locally by the WAD daemon if only AV scanning is needed in the policy.
  • File filtering on HTTP/HTTPS is handled locally by the WAD daemon.

This means that the overall memory usage is optimized when an archive file is scanned, and better security is achieved by scanning archives that would otherwise be bypassed.

However, stream-based scanning has limitations on the more complex features that it can scan. For the following features, traffic will be automatically handed off to the scanunit daemon for scanning (as in the case of legacy mode):

  • Heuristic AV scan
  • DLP
  • Quarantine
  • FortiGuard outbreak prevention and external block list
  • Content disarm
To configure the scan mode:
config antivirus profile
    edit <name>
        ...
        set scan-mode {default | legacy}
    next
end

Inspection mode differences for antivirus

This section identifies the behavioral differences between antivirus operating in flow and proxy inspection.

Feature comparison between antivirus inspection modes

The following table indicates which antivirus features are supported by their designated scan modes.

Part1 Replacement Message Content Disarm Mobile Malware Virus Outbreak Sandbox Inspection NAC Quarantine
Proxy Yes Yes Yes Yes Yes Yes
Flow default mode Yes* No No No Yes Yes
Flow legacy mode Yes* No Yes Yes Yes Yes

*IPS engine caches the URL and a replacement message will be presented after the second attempt.

Part 2 Archive Blocking Emulator Client Comforting Infection Quarantine Heuristics Treat EXE as Virus
Proxy Yes Yes Yes Yes (1) Yes Yes (2)
Flow default mode No No No No No No
Flow legacy mode Yes Yes No Yes (1) Yes Yes (2)
  1. Only available on FortiGate models with HDD, or when FortiAnalyzer or FortiGate Cloud is connected and enabled.
  2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.

Protocol comparison between antivirus inspection modes

The following table indicates which protocols can be inspected by the designated antivirus scan modes.

HTTP FTP IMAP POP3 SMTP NNTP

MAPI

CIFS

Proxy Yes Yes Yes Yes Yes Yes

Yes

Yes*

Flow Yes Yes Yes Yes Yes No

No

Yes

* Proxy mode antivirus inspection on CIFS protocol has the following limitations:

  • Cannot detect infections within archive files
  • Cannot detect oversized files
  • Will block special archive types by default
  • IPv6 is not supported

Other antivirus differences between inspection modes

Flow default mode uses a hybrid scanning approach: it may use a pre-filtering database for malware detection in some circumstances as opposed to the full AV signature database in others. The scan method is determined by the AV engine algorithm that is based on the type of file being scanned. When a full AV scan is needed, the file is forwarded from the IPS engine to the scanunit daemon for processing.

Flow and proxy legacy modes use the full AV signature database, and the scanunit daemon scans the traffic.

Proxy mode uses pre-scanning and stream-based scanning for HTTP traffic. In default mode, the WAD daemon uses a stream-based approach, while legacy mode disables this stream-based approach.

Stream-based scanning provides the following AV improvements:

  • Archive files (ZIP, GZIP, BZIP2, TAR, ISO) that exceed the oversize limit are uncompressed and scanned for infections.
  • The contents of large archive files are scanned without having to buffer the entire file.
  • Small files are scanned locally by the WAD daemon if only AV scanning is needed in the policy.
  • File filtering on HTTP/HTTPS is handled locally by the WAD daemon.

This means that the overall memory usage is optimized when an archive file is scanned, and better security is achieved by scanning archives that would otherwise be bypassed.

However, stream-based scanning has limitations on the more complex features that it can scan. For the following features, traffic will be automatically handed off to the scanunit daemon for scanning (as in the case of legacy mode):

  • Heuristic AV scan
  • DLP
  • Quarantine
  • FortiGuard outbreak prevention and external block list
  • Content disarm
To configure the scan mode:
config antivirus profile
    edit <name>
        ...
        set scan-mode {default | legacy}
    next
end