External blocklist - File hashes
The malware hash threat feed connector supports a list of file hashes that can be used as part of virus outbreak prevention.
This example retrieves a malware hash from an Amazon S3 bucket, and then enables malware block lists in a antivirus profile.
To configure a malware hash connector in the GUI:
- Go to Security Fabric > External Connectors and click Create New.
- In the Threat Feeds section, click Malware Hash.
- Set Name to AWS_Malware_Hash.
- Set the URI of external resource to https://s3.us-west-2.amazonaws.com/malware-hash-feeds/fortinet-malware-hash-list.
- Click OK.
- Edit the connector, then click View Entries to view the hash list.
- Go to Security Profiles > AntiVirus and create a new profile, or edit an existing one.
- Enable Use External Malware Block List.
- Click Apply.
To configure a malware hash connector in the CLI:
config system external-resource edit "AWS_Malware_Hash" set type malware set resource "https://s3.us-west-2.amazonaws.com/malware-hash-feeds/fortinet-malware-hash-list" next end
config antivirus profile edit "av-profile" config outbreak-prevention set external-blocklist enable end next end
Logs
The filehash
and filehashsrc
are included in outbreak prevention detection event logs.
This example shows the log generated when a file is detected by external malware hash list outbreak prevention:
1: date=2018-07-30 time=13:59:41 logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" eventtime=1532984381 msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=174963 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37045 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="mhash_block.com" checksum="90f0cb57" quarskip="No-skip" virus="mhash_block.com" dtype="File Hash" filehash="93bdd30bd381b018b9d1b89e8e6d8753" filehashsrc="test_list" url="http://172.16.67.148/mhash_block.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false"