Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.0.12 Administration Guide
7.0.12
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Testing an antivirus profile

Testing an antivirus profile

Antivirus (AV) profiles can be tested using various file samples to confirm whether AV is correctly configured. In this topic, an AV profile is configured, applied to a firewall policy, and a user attempts to download sample virus test files hosted on eicar.org and fortiguard.com.

Different sample files are used to verify different features on the AV profile. The expectation is these files must be blocked by the AV profile, and the user should be presented with a block page.

File

Test case

EICAR test file

A plain text EICAR test file (hosted on eicar.org over a HTTPS connection) to test basic AV scanning on the FortiGate using deep inspection.

AI sample file

A machine learning sample file to test AI-based malware detection on the FortiGate.

Virus outbreak (VO) sample file

A zero-day sample virus file to test the outbreak prevention feature of the AV profile.

Basic configuration

For the following AV test cases, the test PC has an IP of 192.168.1.110/24 and is connected to the internal1 interface. It accesses the internet through the wan1 interface.

Configuring the AV profile

The default AV profile is used, and the Use FortiGuard outbreak prevention database setting is enabled with the action set to block.

To configure the AV profile:

  1. Go to Security Profiles > AntiVirus and edit the default profile.

  2. In the Virus Outbreak Prevention section, enable Use FortiGuard outbreak prevention database and select Block. See FortiGuard outbreak prevention for more information about this setting.

  3. Configure the other settings as needed (see Configuring an antivirus profile).

  4. Click OK.

By default, the FortiOS AV Engine has AI-based malware detection enabled (set machine-learning-detection enable) . The AV Engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. See AI-based malware detection for more information.

To verify the status of the AV Engine AI contract:
# diagnose autoupdate versions | grep AI -A6
AI/Machine Learning Malware Detection Model
---------
Version: 2.12588 signed
Contract Expiry Date: Tue Jul  9 2024
Last Updated using scheduled update on Tue Sep  5 08:23:15 2023
Last Update Attempt: Tue Sep  5 09:23:00 2023
Result: No Updates

Configuring the SSL SSH profile and firewall policy

The PC will be accessing and downloading the test files using HTTPS from the EICAR and the FortiGuard websites. Since HTTPS traffic is encrypted traffic, in order for the FortiGate to scan the encrypted traffic and inspect it for viruses and malware, it should act as the machine-in-the-middle to decrypt this communication and then re-encrypt it to send it to the website. Deep inspection must be enabled in the SSL SSH profile that will be applied to the firewall policy (see Deep inspection). The custom-deep-inspection profile is modified to remove the fortinet FQDN address from the exemption list.

To configure the SSL SSH profile:

  1. Go to Security Profiles > SSL/SSH Inspection and edit the custom-deep-inspection profile.

  2. In the Exempt from SSL Inspection section, locate the fortinet FQDN entry in the Addresses field, and click the X to delete it.

  3. Click OK.

To configure the firewall policy:

  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    To Internet

    Incoming Interface

    internal1

    Outgoing Interface

    wan1

    AntiVirus

    Enable and select default.

    SSL Inspection

    Select custom-deep-inspection.

  3. Configure the other settings as needed (see Policies).

    Note

    The feature set setting (proxy or flow) in the antivirus profile must match the inspection mode setting (proxy or flow) in the associated firewall policy. For example, a flow-based antivirus profile must be used with a flow-based firewall policy.

  4. Click OK.

Example 1: EICAR test file

EICAR hosts anti-malware test files, which are available to download from https://www.eicar.org/download-anti-malware-testfile.

To test the AV profile with the EICAR test file:

  1. On the PC, go to the EICAR website and download the eicar.com file.

  2. The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.

  3. Verify the AV log.

    1. In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.

    2. In the CLI, enter the following:

      # execute log filter category 2
# execute log display
date=2023-08-30 time=14:51:26 eventtime=1693432286598227820 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=15797 srcip=192.168.1.110 dstip=89.238.73.97 srcport=64641 dstport=443 srccountry="Reserved" dstcountry="Germany" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="ab8d1c24-30b1-51ee-138a-f7be846c205d" dstuuid="ab8d1c24-30b1-51ee-138a-f7be846c205d" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="https://secure.eicar.org/eicar.com" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" httpmethod="GET" referralurl="https://www.eicar.org/" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

Example 2: AI sample file

FortiGuard provides several sample files to test the AV configuration on the FortiGate, which are available to download from https://www.fortiguard.com/sample-files.

To test the AV profile with the AI sample file:

  1. On the PC, go to the FortiGuard website and download the AI Sample file.

  2. The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.

    The file is blocked due to AI-based malware detection and will be logged. Files detected by the AV Engine AI are identified with the W32/AI.Pallas.Suspicious virus signature in the AV logs.

  3. Verify the AV log.

    1. In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.

    2. In the CLI, enter the following:

      # execute log filter category 2
# execute log display
date=2023-08-30 time=17:28:57 eventtime=1693441737721077640 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=1179 srcip=192.168.1.110 dstip=209.52.38.129 srcport=63117 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="6c43f8d6-478a-51ee-95d8-31177232e869" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="ai_sample1" quarskip="Quarantine-disabled" virus="W32/AI.Pallas.Suspicious" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=W32%2FAI.Pallas.Suspicious" virusid=8187637 url="https://filestore.fortinet.com/fortiguard/test-files/ml/ai_sample1" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" httpmethod="GET" referralurl="https://www.fortiguard.com/" analyticscksum="7057e364dbf09b6de7a6cc152b8967e50ed86a0edf97cfd2e88b142ac41873f0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

  4. Verify the AV (scanunit daemon) real-time debug:

    # diagnose sys scanunit debug  all
# diagnose sys scanunit debug level verbose
su 4655 req vfid 0 id 2 ep 0 new request from ipsengine pid 4998, size 4096, fwd-pol 1, oversize 0, url-exempt 0x0, ff-done 0, partial-data 0, dir srv->clt, http-block 0
su 4655 job 157 req vfid 0 id 2 ep 0 received; ack 157, data type: 2
su 4655 job 157 request info:
su 4655 job 157   client N/A server N/A
su 4655 job 157   object_name 'ai_sample1'
su 4655 job 157 heuristic scan enabled
su 4655 job 157 enable databases 0f (core avai mmdb extended)
su 4655 job 157 scan file 'ai_sample1' bytes 4096
su 4655 job 157 file-hash query, level 0, filename 'ai_sample1' size 4096
su 4655 job 157   sha1 'e027a991fd3f03961d05d25cd27617d2945be10b'
su 4655 job 157 scan return status 2
su 4655 job 157 scan status 2 infection 2 virus 8187637 'W32/AI.Pallas.Suspicious' s_type 4 cate 0 fsize 4096 hr 100 checksum 1619585399
su 4655 job 157 add quarantine file 'ai_sample1' virus 'W32/AI.Pallas.Suspicious' infection_type 2
su 4655 job 157 settings are such that file won't be quarantined
su 4655 job 157 not wanted for analytics: post-transfer scan submission is disabled at protocol level (m 2 r 2)
su 4655 job 157 report HEURISTIC infection priority 1
su 4655 job 157 insert infection HEURISTIC SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0
su 4655 job 157 send result
su 4655 job 157 close
su 4654 open

Example 3: VO sample file

To test the AV profile with the VO sample file:

  1. On the PC, go to the FortiGuard website and download the VO Sample file.

  2. The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.

    The file is blocked due to the virus outbreak protection service and database that is enabled in the default AV profile.

  3. Verify the AV log.

    1. In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.

    2. In the CLI, enter the following:

      # execute log filter category 2
# execute log display
date=2023-08-30 time=17:50:33 eventtime=1693443033509250120 tz="-0700" logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="HTTPS" sessionid=2501 srcip=192.168.1.110 dstip=209.52.38.129 srcport=63450 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="6c43f8d6-478a-51ee-95d8-31177232e869" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="zhvo_test.com" quarskip="Quarantine-disabled" virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" viruscat="File Hash" dtype="outbreak-prevention" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" url="https://filestore.fortinet.com/fortiguard/test-files/outbreak-prevention/zhvo_test.com" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" httpmethod="GET" referralurl="https://www.fortiguard.com/" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
Previous
Next

Testing an antivirus profile

Antivirus (AV) profiles can be tested using various file samples to confirm whether AV is correctly configured. In this topic, an AV profile is configured, applied to a firewall policy, and a user attempts to download sample virus test files hosted on eicar.org and fortiguard.com.

Different sample files are used to verify different features on the AV profile. The expectation is these files must be blocked by the AV profile, and the user should be presented with a block page.

File

Test case

EICAR test file

A plain text EICAR test file (hosted on eicar.org over a HTTPS connection) to test basic AV scanning on the FortiGate using deep inspection.

AI sample file

A machine learning sample file to test AI-based malware detection on the FortiGate.

Virus outbreak (VO) sample file

A zero-day sample virus file to test the outbreak prevention feature of the AV profile.

Basic configuration

For the following AV test cases, the test PC has an IP of 192.168.1.110/24 and is connected to the internal1 interface. It accesses the internet through the wan1 interface.

Configuring the AV profile

The default AV profile is used, and the Use FortiGuard outbreak prevention database setting is enabled with the action set to block.

To configure the AV profile:

  1. Go to Security Profiles > AntiVirus and edit the default profile.

  2. In the Virus Outbreak Prevention section, enable Use FortiGuard outbreak prevention database and select Block. See FortiGuard outbreak prevention for more information about this setting.

  3. Configure the other settings as needed (see Configuring an antivirus profile).

  4. Click OK.

By default, the FortiOS AV Engine has AI-based malware detection enabled (set machine-learning-detection enable) . The AV Engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. See AI-based malware detection for more information.

To verify the status of the AV Engine AI contract:
# diagnose autoupdate versions | grep AI -A6
AI/Machine Learning Malware Detection Model
---------
Version: 2.12588 signed
Contract Expiry Date: Tue Jul  9 2024
Last Updated using scheduled update on Tue Sep  5 08:23:15 2023
Last Update Attempt: Tue Sep  5 09:23:00 2023
Result: No Updates

Configuring the SSL SSH profile and firewall policy

The PC will be accessing and downloading the test files using HTTPS from the EICAR and the FortiGuard websites. Since HTTPS traffic is encrypted traffic, in order for the FortiGate to scan the encrypted traffic and inspect it for viruses and malware, it should act as the machine-in-the-middle to decrypt this communication and then re-encrypt it to send it to the website. Deep inspection must be enabled in the SSL SSH profile that will be applied to the firewall policy (see Deep inspection). The custom-deep-inspection profile is modified to remove the fortinet FQDN address from the exemption list.

To configure the SSL SSH profile:

  1. Go to Security Profiles > SSL/SSH Inspection and edit the custom-deep-inspection profile.

  2. In the Exempt from SSL Inspection section, locate the fortinet FQDN entry in the Addresses field, and click the X to delete it.

  3. Click OK.

To configure the firewall policy:

  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    To Internet

    Incoming Interface

    internal1

    Outgoing Interface

    wan1

    AntiVirus

    Enable and select default.

    SSL Inspection

    Select custom-deep-inspection.

  3. Configure the other settings as needed (see Policies).

    Note

    The feature set setting (proxy or flow) in the antivirus profile must match the inspection mode setting (proxy or flow) in the associated firewall policy. For example, a flow-based antivirus profile must be used with a flow-based firewall policy.

  4. Click OK.

Example 1: EICAR test file

EICAR hosts anti-malware test files, which are available to download from https://www.eicar.org/download-anti-malware-testfile.

To test the AV profile with the EICAR test file:

  1. On the PC, go to the EICAR website and download the eicar.com file.

  2. The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.

  3. Verify the AV log.

    1. In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.

    2. In the CLI, enter the following:

      # execute log filter category 2
# execute log display
date=2023-08-30 time=14:51:26 eventtime=1693432286598227820 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=15797 srcip=192.168.1.110 dstip=89.238.73.97 srcport=64641 dstport=443 srccountry="Reserved" dstcountry="Germany" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="ab8d1c24-30b1-51ee-138a-f7be846c205d" dstuuid="ab8d1c24-30b1-51ee-138a-f7be846c205d" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="https://secure.eicar.org/eicar.com" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" httpmethod="GET" referralurl="https://www.eicar.org/" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

Example 2: AI sample file

FortiGuard provides several sample files to test the AV configuration on the FortiGate, which are available to download from https://www.fortiguard.com/sample-files.

To test the AV profile with the AI sample file:

  1. On the PC, go to the FortiGuard website and download the AI Sample file.

  2. The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.

    The file is blocked due to AI-based malware detection and will be logged. Files detected by the AV Engine AI are identified with the W32/AI.Pallas.Suspicious virus signature in the AV logs.

  3. Verify the AV log.

    1. In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.

    2. In the CLI, enter the following:

      # execute log filter category 2
# execute log display
date=2023-08-30 time=17:28:57 eventtime=1693441737721077640 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=1179 srcip=192.168.1.110 dstip=209.52.38.129 srcport=63117 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="6c43f8d6-478a-51ee-95d8-31177232e869" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="ai_sample1" quarskip="Quarantine-disabled" virus="W32/AI.Pallas.Suspicious" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=W32%2FAI.Pallas.Suspicious" virusid=8187637 url="https://filestore.fortinet.com/fortiguard/test-files/ml/ai_sample1" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" httpmethod="GET" referralurl="https://www.fortiguard.com/" analyticscksum="7057e364dbf09b6de7a6cc152b8967e50ed86a0edf97cfd2e88b142ac41873f0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

  4. Verify the AV (scanunit daemon) real-time debug:

    # diagnose sys scanunit debug  all
# diagnose sys scanunit debug level verbose
su 4655 req vfid 0 id 2 ep 0 new request from ipsengine pid 4998, size 4096, fwd-pol 1, oversize 0, url-exempt 0x0, ff-done 0, partial-data 0, dir srv->clt, http-block 0
su 4655 job 157 req vfid 0 id 2 ep 0 received; ack 157, data type: 2
su 4655 job 157 request info:
su 4655 job 157   client N/A server N/A
su 4655 job 157   object_name 'ai_sample1'
su 4655 job 157 heuristic scan enabled
su 4655 job 157 enable databases 0f (core avai mmdb extended)
su 4655 job 157 scan file 'ai_sample1' bytes 4096
su 4655 job 157 file-hash query, level 0, filename 'ai_sample1' size 4096
su 4655 job 157   sha1 'e027a991fd3f03961d05d25cd27617d2945be10b'
su 4655 job 157 scan return status 2
su 4655 job 157 scan status 2 infection 2 virus 8187637 'W32/AI.Pallas.Suspicious' s_type 4 cate 0 fsize 4096 hr 100 checksum 1619585399
su 4655 job 157 add quarantine file 'ai_sample1' virus 'W32/AI.Pallas.Suspicious' infection_type 2
su 4655 job 157 settings are such that file won't be quarantined
su 4655 job 157 not wanted for analytics: post-transfer scan submission is disabled at protocol level (m 2 r 2)
su 4655 job 157 report HEURISTIC infection priority 1
su 4655 job 157 insert infection HEURISTIC SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0
su 4655 job 157 send result
su 4655 job 157 close
su 4654 open

Example 3: VO sample file

To test the AV profile with the VO sample file:

  1. On the PC, go to the FortiGuard website and download the VO Sample file.

  2. The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.

    The file is blocked due to the virus outbreak protection service and database that is enabled in the default AV profile.

  3. Verify the AV log.

    1. In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.

    2. In the CLI, enter the following:

      # execute log filter category 2
# execute log display
date=2023-08-30 time=17:50:33 eventtime=1693443033509250120 tz="-0700" logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="HTTPS" sessionid=2501 srcip=192.168.1.110 dstip=209.52.38.129 srcport=63450 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="6c43f8d6-478a-51ee-95d8-31177232e869" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="zhvo_test.com" quarskip="Quarantine-disabled" virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" viruscat="File Hash" dtype="outbreak-prevention" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" url="https://filestore.fortinet.com/fortiguard/test-files/outbreak-prevention/zhvo_test.com" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" httpmethod="GET" referralurl="https://www.fortiguard.com/" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
Previous
Next