Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Antivirus

FortiOS offers the unique ability to implement both flow-based and proxy-based antivirus concurrently, depending on the traffic type, users, and locations. Flow-based antivirus offers higher throughput performance.

FortiOS includes two preloaded antivirus profiles:

  • default
  • wifi-default

You can customize these profiles, or you can create your own to inspect certain protocols, remove viruses, analyze suspicious files with FortiSandbox, and apply botnet protection to network traffic. Once configured, you can add the antivirus profile to a firewall policy.

Note

This functionality requires a subscription to FortiGuard Antivirus.

Protocol comparison between AntiVirus inspection modes

The following table indicates which protocols can be inspected by the designated AntiVirus scan modes.

 

HTTP

FTP

IMAP

POP3

SMTP

NNTP

MAPI

CIFS

SSH

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes*

Yes

Flow

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

* Proxy mode antivirus inspection on CIFS protocol has the following limitations:

  • Cannot detect infections within archive files.
  • Cannot detect oversized files.

Other AntiVirus differences between inspection modes

Starting from v6.4.0, the scan-mode option is no longer available for flow-based AV.

This means that AV will no longer exclusively use the default or legacy scan-modes when handling traffic on flow-base firewall policies. Instead, AV in flow-base policies utilizes a hybrid of the two scan-modes. Flow AV may use a pre-filtering database for malware detection in some circumstances as opposed to the full AV signature database in others. The choice of the scan method is determined by the IPS Engine algorithm which is based on the type of file being scanned.

In contrast, Proxy mode maintains the scan-mode option which can be toggled between default or legacy mode. In default mode, the WAD daemon uses a stream-based approach while legacy mode disables this stream-based approach.

Proxy default scan-mode uses pre-scanning and stream-based scanning for HTTP traffic. This allows archive files that exceed the oversize limit to be uncompressed and scanned for infections.

The following topics provide information about antivirus profiles:

The following topics provide information about sandbox inspection with antivirus:

Antivirus

FortiOS offers the unique ability to implement both flow-based and proxy-based antivirus concurrently, depending on the traffic type, users, and locations. Flow-based antivirus offers higher throughput performance.

FortiOS includes two preloaded antivirus profiles:

  • default
  • wifi-default

You can customize these profiles, or you can create your own to inspect certain protocols, remove viruses, analyze suspicious files with FortiSandbox, and apply botnet protection to network traffic. Once configured, you can add the antivirus profile to a firewall policy.

Note

This functionality requires a subscription to FortiGuard Antivirus.

Protocol comparison between AntiVirus inspection modes

The following table indicates which protocols can be inspected by the designated AntiVirus scan modes.

 

HTTP

FTP

IMAP

POP3

SMTP

NNTP

MAPI

CIFS

SSH

Proxy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes*

Yes

Flow

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

* Proxy mode antivirus inspection on CIFS protocol has the following limitations:

  • Cannot detect infections within archive files.
  • Cannot detect oversized files.

Other AntiVirus differences between inspection modes

Starting from v6.4.0, the scan-mode option is no longer available for flow-based AV.

This means that AV will no longer exclusively use the default or legacy scan-modes when handling traffic on flow-base firewall policies. Instead, AV in flow-base policies utilizes a hybrid of the two scan-modes. Flow AV may use a pre-filtering database for malware detection in some circumstances as opposed to the full AV signature database in others. The choice of the scan method is determined by the IPS Engine algorithm which is based on the type of file being scanned.

In contrast, Proxy mode maintains the scan-mode option which can be toggled between default or legacy mode. In default mode, the WAD daemon uses a stream-based approach while legacy mode disables this stream-based approach.

Proxy default scan-mode uses pre-scanning and stream-based scanning for HTTP traffic. This allows archive files that exceed the oversize limit to be uncompressed and scanned for infections.

The following topics provide information about antivirus profiles:

The following topics provide information about sandbox inspection with antivirus: