Malware threat feed from EMS
A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. This feature is supported in proxy and flow mode.
If an external malware blocklist and the FortiGuard outbreak prevention database are also enabled in the antivirus profile, the checking order is: AV local database, EMS threat feed, external malware blocklist, FortiGuard outbreak prevention database. If the EMS threat feed and external malware blocklist contain the same hash value, then the EMS infection will be reported if both of them are blocked. |
To configure an EMS threat feed in an antivirus profile in the GUI:
- Enable the EMS threat feed:
- Go to Security Fabric > Fabric Connectors and double-click the FortiClient EMS card.
- Enable EMS Threat Feed.
- Configure the other settings if needed (see Configuring FortiClient EMS for more details).
- Click OK.
- Create the antivirus profile:
- Go to Security Profiles > AntiVirus and click Create New.
- In the Virus Outbreak Prevention section, enable Use EMS threat feed.
- Configure the other settings as needed.
- Click OK.
To configure an EMS threat feed in an antivirus profile in the CLI:
- Enable the EMS threat feed:
config endpoint-control fctems edit "WIN10-EMS" set fortinetone-cloud-authentication disable set server "192.168.20.10" set https-port 443 set source-ip 0.0.0.0 set pull-sysinfo enable set pull-vulnerabilities enable set pull-avatars enable set pull-tags enable set pull-malware-hash enable unset capabilities set call-timeout 30 set websocket-override disable next end
- Create the antivirus profile:
config antivirus profile edit "av" config http set av-scan block end config ftp set av-scan block end config imap set av-scan block end config pop3 set av-scan block end config smtp set av-scan block end config cifs set av-scan block end set external-blocklist-enable-all enable set ems-threat-feed enable next end
Sample log
# execute log filter category utm-virus # execute log display
1: date=2021-03-19 time=16:06:46 eventtime=1616195207055607417 tz="-0700" logid="0208008217" type="utm" subtype="virus" eventtype="ems-threat-feed" level="notice" vd="vd1" policyid=1 msg="Detected by EMS threat feed." action="monitored" service="HTTPS" sessionid=1005 srcip=10.1.100.24 dstip=172.16.200.214 srcport=54674 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 direction="incoming" filename="creditcardSSN.pdf" quarskip="Quarantine-disabled" virus="Email scan" dtype="File Hash" filehash="22466078c2d52dfd5ebbbd6c4207ddec6ac61aa82f960dc54cfbc83b8eb42ed1" filehashsrc="test" url="https://172.16.200.214/hash/creditcardSSN.pdf" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
2: date=2021-03-19 time=16:06:13 eventtime=1616195173832494609 tz="-0700" logid="0208008216" type="utm" subtype="virus" eventtype="ems-threat-feed" level="warning" vd="vd1" policyid=1 msg="Blocked by EMS threat feed." action="blocked" service="HTTPS" sessionid=898 srcip=10.1.100.24 dstip=172.16.200.214 srcport=54672 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 direction="incoming" filename="BouncingButton.pdf" quarskip="Quarantine-disabled" virus="Email scan" dtype="File Hash" filehash="a601431acd5004c37bf8fd02fccfdacbb54b27c8648d1d41ad14fa3eaf8651d3" filehashsrc="test" url="https://172.16.200.214/hash/BouncingButton.pdf" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"