External malware block list

The external malware block list allows users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes. The FortiGate's antivirus database retrieves an external malware hash list from a remote server and polls the hash list every n minutes for updates. Enabling the AV engine scan is not required to use this feature.

The external malware block list can be used in both proxy-based and flow-based policy inspections, but it is not supported in AV quick scan mode.

Note that using different types of hashes simultaneously may slow down the performance of malware scanning. It is recommended to use one type of hash.

To create the external block list:
  1. Create the malware hash list.

    The malware hash list follows a strict format in order for its contents to be valid. Malware hash signature entries must be separated into each line. A valid signature needs to follow this format:

    # MD5 Entry with hash description
    aa67243f746e5d76f68ec809355ec234  md5_sample1
    # SHA1 Entry with hash description
    a57983cb39e25ab80d7d3dc05695dd0ee0e49766  sha1_sample2
    # SHA256 Entry with hash description
    ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379  sha256_sample1
    # Entry without hash description
    # Invalid entries
  2. Configure the external malware block list source:
    1. Go to Security Fabric > External Connectors and click Create New.
    2. Click Malware Hash.
    3. Configure the settings as needed. The URI must point to the malware hash list on the remote server.
    4. Click OK.
  3. To view entries inside the malware block list on the External Connectors page, hover over the malware hash card and click View Entries.
To configure antivirus to use an external block list in the GUI: