Fortinet black logo

Administration Guide

External blocklist - File hashes

External blocklist - File hashes

The malware hash threat feed connector supports a list of file hashes that can be used as part of virus outbreak prevention.

This example retrieves a malware hash from an Amazon S3 bucket, and then enables malware block lists in a antivirus profile.

To configure a malware hash connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.
  3. Set Name to AWS_Malware_Hash.
  4. Set the URI of external resource to https://s3.us-west-2.amazonaws.com/malware-hash-feeds/fortinet-malware-hash-list.

  5. Click OK.
  6. Edit the connector, then click View Entries to view the hash list.

  7. Go to Security Profiles > AntiVirus and create a new profile, or edit an existing one.
  8. Enable Use External Malware Block List.
  9. Click Apply.
To configure a malware hash connector in the CLI:
config system external-resource
    edit "AWS_Malware_Hash"
        set type malware
        set resource "https://s3.us-west-2.amazonaws.com/malware-hash-feeds/fortinet-malware-hash-list"
    next
end
config antivirus profile
    edit "av-profile"
        config outbreak-prevention
            set external-blocklist enable
        end
    next
end

Logs

The filehash and filehashsrc are included in outbreak prevention detection event logs.

This example shows the log generated when a file is detected by external malware hash list outbreak prevention:

1: date=2018-07-30 time=13:59:41 logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" eventtime=1532984381 msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=174963 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37045 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="mhash_block.com" checksum="90f0cb57" quarskip="No-skip" virus="mhash_block.com" dtype="File Hash" filehash="93bdd30bd381b018b9d1b89e8e6d8753" filehashsrc="test_list" url="http://172.16.67.148/mhash_block.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false"

Related Videos

sidebar video

External Dynamic Block List for Hashes

  • 8,884 views
  • 5 years ago

External blocklist - File hashes

The malware hash threat feed connector supports a list of file hashes that can be used as part of virus outbreak prevention.

This example retrieves a malware hash from an Amazon S3 bucket, and then enables malware block lists in a antivirus profile.

To configure a malware hash connector in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.
  3. Set Name to AWS_Malware_Hash.
  4. Set the URI of external resource to https://s3.us-west-2.amazonaws.com/malware-hash-feeds/fortinet-malware-hash-list.

  5. Click OK.
  6. Edit the connector, then click View Entries to view the hash list.

  7. Go to Security Profiles > AntiVirus and create a new profile, or edit an existing one.
  8. Enable Use External Malware Block List.
  9. Click Apply.
To configure a malware hash connector in the CLI:
config system external-resource
    edit "AWS_Malware_Hash"
        set type malware
        set resource "https://s3.us-west-2.amazonaws.com/malware-hash-feeds/fortinet-malware-hash-list"
    next
end
config antivirus profile
    edit "av-profile"
        config outbreak-prevention
            set external-blocklist enable
        end
    next
end

Logs

The filehash and filehashsrc are included in outbreak prevention detection event logs.

This example shows the log generated when a file is detected by external malware hash list outbreak prevention:

1: date=2018-07-30 time=13:59:41 logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" eventtime=1532984381 msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=174963 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37045 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="mhash_block.com" checksum="90f0cb57" quarskip="No-skip" virus="mhash_block.com" dtype="File Hash" filehash="93bdd30bd381b018b9d1b89e8e6d8753" filehashsrc="test_list" url="http://172.16.67.148/mhash_block.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false"