Fortinet black logo

New Features

Stream-based antivirus scan in proxy mode for FTP, SFTP, and SCP

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:17521
Download PDF

Stream-based antivirus scan in proxy mode for FTP, SFTP, and SCP

Stream-based antivirus scanning in proxy mode is supported for FTP, SFTP, and SCP protocols.

  • Stream-based antivirus scanning optimizes memory utilization for large archive files by decompressing the files on the fly and scanning the files as they are extracted.

  • File types can be determined after scanning a few KB, without buffering the entire file.

  • Viruses can be detected even if they are hiding in the middle or end of a large archive.

  • When scanning smaller files, traffic throughput is improved by scanning the files directly on the proxy based WAD daemon, without invoking scanunit.

Stream-based scanning is the default scan mode when an antivirus is in proxy mode. To disable steam-based scanning, the scan mode can be set to legacy mode, and archive will only be scanned after the entire file has been received.

To configure stream-based scan:
config antivirus profile
    edit <string>
        ...
        set feature-set proxy
        set scan-mode {default* | legacy}
        ...
    next
end

TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {ftp | ssh}
            ...
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
            ...
        end
    next
end

{ftp | ssh}

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {system | static | dynamic}

The TCP window type to use for this protocol.

  • system: Use the system default TCP window size for this protocol (default).

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.

Stream-based antivirus scan in proxy mode for FTP, SFTP, and SCP

Stream-based antivirus scanning in proxy mode is supported for FTP, SFTP, and SCP protocols.

  • Stream-based antivirus scanning optimizes memory utilization for large archive files by decompressing the files on the fly and scanning the files as they are extracted.

  • File types can be determined after scanning a few KB, without buffering the entire file.

  • Viruses can be detected even if they are hiding in the middle or end of a large archive.

  • When scanning smaller files, traffic throughput is improved by scanning the files directly on the proxy based WAD daemon, without invoking scanunit.

Stream-based scanning is the default scan mode when an antivirus is in proxy mode. To disable steam-based scanning, the scan mode can be set to legacy mode, and archive will only be scanned after the entire file has been received.

To configure stream-based scan:
config antivirus profile
    edit <string>
        ...
        set feature-set proxy
        set scan-mode {default* | legacy}
        ...
    next
end

TCP windows

Some file transfer applications can negotiate large TCP windows. For example, WinSCP can negotiate an initial TCP window size of about 2GB.

The TCP window options can be used to prevent overly large initial TCP window sizes, helping avoid channel flow control issues. It allows stream‑based scan's flow control to limit peers from sending data that exceeds a policy's configured oversize limit.

To configure TCP window size options:
config firewall profile-protocol-options
    edit <string>
        config {ftp | ssh}
            ...
            set stream-based-uncompressed-limit <integer>
            set tcp-window-type {system | static | dynamic}
            set tcp-window-size <integer>
            set tcp-window-minimum <integer>
            set tcp-window-maximum <integer>
            ...
        end
    next
end

{ftp | ssh}

  • ftp: Configure FTP protocol options.

  • ssh: Configure SFTP and SCP protocol options.

stream-based-uncompressed-limit <integer>

The maximum stream-based uncompressed data size that will be scanned, in MB (default = 0 (unlimited)).

Stream-based uncompression used only under certain conditions.).

tcp-window-type {system | static | dynamic}

The TCP window type to use for this protocol.

  • system: Use the system default TCP window size for this protocol (default).

  • static: Manually specify the TCP window size.

  • dynamic: Vary the TCP window size based on available memory within the limits configured in tcp‑window‑minimum and tcp‑window‑maximum.

tcp-window-size <integer>

The TCP static window size (65536 - 33554432, default = 262144).

This option is only available when tcp‑window‑type is static.

tcp-window-minimum <integer>

The minimum TCP dynamic window size (65536 - 1048576, default = 131072).

This option is only available when tcp‑window‑type is dynamic.

tcp-window-maximum <integer>

The maximum TCP dynamic window size (1048576 - 33554432, default = 8388608).

This option is only available when tcp‑window‑type is dynamic.