Malware threat feed from EMS

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. This feature is supported in proxy and flow mode.


If an external malware blocklist and the FortiGuard outbreak prevention database are also enabled in the antivirus profile, the checking order is: AV local database, EMS threat feed, external malware blocklist, FortiGuard outbreak prevention database. If the EMS threat feed and external malware blocklist contain the same hash value, then the EMS infection will be reported if both of them are blocked.

To configure an EMS threat feed in an antivirus profile in the GUI:
  1. Enable the EMS threat feed:
    1. Go to Security Fabric > Fabric Connectors and double-click the FortiClient EMS card.
    2. Enable EMS Threat Feed.
    3. Configure the other settings if needed (see FortiClient EMS for more details).

    4. Click OK.
  2. Create the antivirus profile:
    1. Go to Security Profiles > AntiVirus and click Create New.
    2. In the Virus Outbreak Prevention section, enable Use EMS threat feed.
    3. Configure the other settings as needed.