Testing an antivirus profile
Antivirus (AV) profiles can be tested using various file samples to confirm whether AV is correctly configured. In this topic, an AV profile is configured, applied to a firewall policy, and a user attempts to download sample virus test files hosted on eicar.org and fortiguard.com.
Different sample files are used to verify different features on the AV profile. The expectation is these files must be blocked by the AV profile, and the user should be presented with a block page.
File |
Test case |
---|---|
A plain text EICAR test file (hosted on eicar.org over a HTTPS connection) to test basic AV scanning on the FortiGate using deep inspection. |
|
A machine learning sample file to test AI-based malware detection on the FortiGate. |
|
A zero-day sample virus file to test the outbreak prevention feature of the AV profile. |
|
Files that are detected by a sandbox. This requires FortiSandbox integration with the FortiGate. |
For the following AV test cases, the test PC has an IP of 192.168.1.110/24 and is connected to the internal1 interface. It accesses the internet through the wan1 interface.
Configuring the AV profile
The default AV profile is used, and the Use FortiGuard outbreak prevention database setting is enabled with the action set to block.
To configure the AV profile:
-
Go to Security Profiles > AntiVirus and edit the default profile.
-
In the Virus Outbreak Prevention section, enable Use FortiGuard outbreak prevention database and select Block. See FortiGuard outbreak prevention for more information about this setting.
-
Configure the other settings as needed (see Configuring an antivirus profile).
-
Click OK.
By default, the FortiOS AV Engine has AI-based malware detection enabled (set machine-learning-detection enable
) . The AV Engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. See AI-based malware detection for more information.
To verify the status of the AV Engine AI contract:
# diagnose autoupdate versions | grep AI -A6 AI/Machine Learning Malware Detection Model --------- Version: 2.12588 signed Contract Expiry Date: Tue Jul 9 2024 Last Updated using scheduled update on Tue Sep 5 08:23:15 2023 Last Update Attempt: Tue Sep 5 09:23:00 2023 Result: No Updates
Configuring the SSL SSH profile and firewall policy
The PC will be accessing and downloading the test files using HTTPS from the EICAR and the FortiGuard websites. Since HTTPS traffic is encrypted traffic, in order for the FortiGate to scan the encrypted traffic and inspect it for viruses and malware, it should act as the machine-in-the-middle to decrypt this communication and then re-encrypt it to send it to the website. Deep inspection must be enabled in the SSL SSH profile that will be applied to the firewall policy (see Deep inspection). The custom-deep-inspection profile is modified to remove the fortinet FQDN address from the exemption list.
To configure the SSL SSH profile:
-
Go to Security Profiles > SSL/SSH Inspection and edit the custom-deep-inspection profile.
-
In the Exempt from SSL Inspection section, locate the fortinet FQDN entry in the Addresses field, and click the X to delete it.
-
Click OK.
To configure the firewall policy:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
Configure the following settings:
Name
To Internet
Incoming Interface
internal1
Outgoing Interface
wan1
AntiVirus
Enable and select default.
SSL Inspection
Select custom-deep-inspection.
-
Configure the other settings as needed (see Policies).
The feature set setting (proxy or flow) in the antivirus profile must match the inspection mode setting (proxy or flow) in the associated firewall policy. For example, a flow-based antivirus profile must be used with a flow-based firewall policy.
-
Click OK.
Example 1: EICAR test file
EICAR hosts anti-malware test files, which are available to download from https://www.eicar.org/download-anti-malware-testfile.
To test the AV profile with the EICAR test file:
-
On the PC, go to the EICAR website and download the eicar.com file.
-
The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.
-
Check the antivirus statistics on the FortiGate,
HTTP virus detected
increases by one:# diagnose ips av stats show AV stats: HTTP virus detected: 1 HTTP virus blocked: 0 SMTP virus detected: 0 SMTP virus blocked: 0 POP3 virus detected: 0 POP3 virus blocked: 0 IMAP virus detected: 0 IMAP virus blocked: 0 NNTP virus detected: 0 NNTP virus blocked: 0 FTP virus detected: 0 FTP virus blocked: 0 SMB virus detected: 0 SMB virus blocked: 0
-
Check the antivirus statistics using an SNMP walk:
root:~# snmpwalk -c public -v 1 10.1.100.6 1.3.6.1.4.1.12356.101.8.2.1.1 iso.3.6.1.4.1.12356.101.8.2.1.1.1.1 = Counter32: 2 (fgAvVirusDetected) iso.3.6.1.4.1.12356.101.8.2.1.1.2.1 = Counter32: 1 (fgAvVirusBlocked) iso.3.6.1.4.1.12356.101.8.2.1.1.3.1 = Counter32: 1 (fgAvHTTPVirusDetected) iso.3.6.1.4.1.12356.101.8.2.1.1.4.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.5.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.6.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.7.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.8.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.9.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.10.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.11.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.12.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.13.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.14.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.15.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.16.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.17.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.18.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.19.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.20.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.21.1 = Counter32: 0 iso.3.6.1.4.1.12356.101.8.2.1.1.22.1 = Counter32: 0
-
Verify the AV log.
-
In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.
-
In the CLI, enter the following:
# execute log filter category 2 # execute log display date=2023-08-30 time=14:51:26 eventtime=1693432286598227820 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=15797 srcip=192.168.1.110 dstip=89.238.73.97 srcport=64641 dstport=443 srccountry="Reserved" dstcountry="Germany" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="ab8d1c24-30b1-51ee-138a-f7be846c205d" dstuuid="ab8d1c24-30b1-51ee-138a-f7be846c205d" proto=6 direction="incoming" filename="eicar.com" quarskip="Quarantine-disabled" virus="EICAR_TEST_FILE" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=EICAR_TEST_FILE" virusid=2172 url="https://secure.eicar.org/eicar.com" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0" httpmethod="GET" referralurl="https://www.eicar.org/" analyticscksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
-
-
Optionally, reset the antivirus statistics to zero:
# diagnose ips av stats clear
See CLI troubleshooting cheat sheet for log gathering, analysis, and troubleshooting.
Example 2: AI sample file
FortiGuard provides several sample files to test the AV configuration on the FortiGate, which are available to download from https://www.fortiguard.com/sample-files.
To test the AV profile with the AI sample file:
-
On the PC, go to the FortiGuard website and download the AI Sample file.
-
The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.
The file is blocked due to AI-based malware detection and will be logged. Files detected by the AV Engine AI are identified with the W32/AI.Pallas.Suspicious virus signature in the AV logs.
-
Verify the AV log.
-
In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.
-
In the CLI, enter the following:
# execute log filter category 2 # execute log display date=2023-08-30 time=17:28:57 eventtime=1693441737721077640 tz="-0700" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="File is infected." action="blocked" service="HTTPS" sessionid=1179 srcip=192.168.1.110 dstip=209.52.38.129 srcport=63117 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="6c43f8d6-478a-51ee-95d8-31177232e869" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="ai_sample1" quarskip="Quarantine-disabled" virus="W32/AI.Pallas.Suspicious" viruscat="Virus" dtype="av-engine" ref="http://www.fortinet.com/ve?vn=W32%2FAI.Pallas.Suspicious" virusid=8187637 url="https://filestore.fortinet.com/fortiguard/test-files/ml/ai_sample1" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" httpmethod="GET" referralurl="https://www.fortiguard.com/" analyticscksum="7057e364dbf09b6de7a6cc152b8967e50ed86a0edf97cfd2e88b142ac41873f0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
-
-
Verify the AV (scanunit daemon) real-time debug:
# diagnose sys scanunit debug all # diagnose sys scanunit debug level verbose su 4655 req vfid 0 id 2 ep 0 new request from ipsengine pid 4998, size 4096, fwd-pol 1, oversize 0, url-exempt 0x0, ff-done 0, partial-data 0, dir srv->clt, http-block 0 su 4655 job 157 req vfid 0 id 2 ep 0 received; ack 157, data type: 2 su 4655 job 157 request info: su 4655 job 157 client N/A server N/A su 4655 job 157 object_name 'ai_sample1' su 4655 job 157 heuristic scan enabled su 4655 job 157 enable databases 0f (core avai mmdb extended) su 4655 job 157 scan file 'ai_sample1' bytes 4096 su 4655 job 157 file-hash query, level 0, filename 'ai_sample1' size 4096 su 4655 job 157 sha1 'e027a991fd3f03961d05d25cd27617d2945be10b' su 4655 job 157 scan return status 2 su 4655 job 157 scan status 2 infection 2 virus 8187637 'W32/AI.Pallas.Suspicious' s_type 4 cate 0 fsize 4096 hr 100 checksum 1619585399 su 4655 job 157 add quarantine file 'ai_sample1' virus 'W32/AI.Pallas.Suspicious' infection_type 2 su 4655 job 157 settings are such that file won't be quarantined su 4655 job 157 not wanted for analytics: post-transfer scan submission is disabled at protocol level (m 2 r 2) su 4655 job 157 report HEURISTIC infection priority 1 su 4655 job 157 insert infection HEURISTIC SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0 su 4655 job 157 send result su 4655 job 157 close su 4654 open
Example 3: VO sample file
To test the AV profile with the VO sample file:
-
On the PC, go to the FortiGuard website and download the VO Sample file.
-
The download attempt is blocked by the FortiGate’s default AV profile, and a block page appears in the PC's browser.
The file is blocked due to the virus outbreak protection service and database that is enabled in the default AV profile.
-
Verify the AV log.
-
In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.
-
In the CLI, enter the following:
# execute log filter category 2 # execute log display date=2023-08-30 time=17:50:33 eventtime=1693443033509250120 tz="-0700" logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="root" policyid=1 poluuid="c65fa590-4758-51ee-4d28-f2cc75f14979" policytype="policy" msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="HTTPS" sessionid=2501 srcip=192.168.1.110 dstip=209.52.38.129 srcport=63450 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="6c43f8d6-478a-51ee-95d8-31177232e869" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="zhvo_test.com" quarskip="Quarantine-disabled" virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" viruscat="File Hash" dtype="outbreak-prevention" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" url="https://filestore.fortinet.com/fortiguard/test-files/outbreak-prevention/zhvo_test.com" profile="default" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" httpmethod="GET" referralurl="https://www.fortiguard.com/" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
-
Example 4: behavioral-based samples detected by a sandbox
The FortiGate can be integrated with FortiSandbox appliance (used in this example), FortiSandbox Cloud, or FortiGate Cloud Sandbox. See Configuring Sandboxing for more information about configuring the different FortiSandbox sandbox solutions.
In this example, when a client attempts to download a file, the AV profile is configured to send All Supported Files to the FortiSandbox appliance for scanning and allows the file to be downloaded by the client in the first attempt. After the FortiSandbox scans and presents a verdict, it updates its malware signature database and the FortiGate retrieves the malware signature database from FortiSandbox if the FortiSandbox database is enabled.
If a user attempts to download the file again, the FortiGate will either block or allow the download depending on the FortiSandbox verdict. See Using FortiSandbox with antivirus for more information.
This example assumes that the scan profile has already been configured in FortiSandbox. See Verify the FortiSandbox Analysis in the FortiSandbox Administration Guide for more information.
To test the AV profile with a Windows executable sample file:
-
Integrate the FortiGate with the FortiSandbox appliance using the Security Fabric (see Configuring Sandboxing).
-
Update the AV profile to send All Supported Files to FortiSandbox for inspection (see Using FortiSandbox with antivirus).
-
On the PC, go to the FortiGuard website, hover over the Windows Executable link, right-click, and select the browser’s option to copy the link.
-
Open another browser tab, paste the URL, and append the URL with
&s=<string>
, such ashttps://filegen.fortinet.com/v1/sandbox-file?file_name=windows.exe&s=ftnt*123
.Every file download attempt from the FortiGuard website downloads a new file. Downloading a file with same
<string>
ensures that the downloaded file is the same, and not a new file. A file named windows.exe is downloaded by the client, and a copy is sent to the FortiSandbox appliance for analysis. -
Verify the AV log to confirm that the file was submitted to FortiSandbox:
# execute log filter category 2 # execute log display date=2023-11-07 time=15:28:41 eventtime=1699399721812721581 tz="-0800" logid="0201009233" type="utm" subtype="virus" eventtype="analytics" level="information" vd="root" policyid=1 poluuid="6f2b2dee-478a-51ee-e9c3-b7218be554fe" policytype="policy" msg="File submitted to Sandbox." action="analytics" service="HTTPS" sessionid=28695 srcip=192.168.1.110 dstip=209.52.38.145 srcport=52741 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="a051eeb2-5284-51ee-99d0-d8b19cb7439d" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="windows.exe" filetype="exe" url="https://filegen.fortinet.com/v1/sandbox-file?file_name=windows.exe&s=ftnt*123" profile="default" agent="Chrome/118.0.0.0" analyticscksum="8f6392d051fa38e79d66bafed67ce8a1f907b7a9d376b1e270cea2647c2aa3c5" analyticssubmit="true" rawdata="Method=GET|Response-Content-Type=application/octet-stream|user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
-
After FortiSandbox finishes scanning the file (typically between one to three minutes), attempt to re-download the file using the same URL and separator (
https://filegen.fortinet.com/v1/sandbox-file?file_name=windows.exe&s=ftnt*123
). -
The file is now blocked by the FortiGate, and a High Security Alert block page appears in the PC's browser.
-
Verify the AV log again.
-
In the GUI, go to Log & Report > AntiVirus. Select the log entry and click Details.
-
In the CLI, enter the following:
# execute log filter category 2 # execute log display date=2023-11-07 time=15:40:17 eventtime=1699400417588527201 tz="-0800" logid="0211009234" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=1 poluuid="6f2b2dee-478a-51ee-e9c3-b7218be554fe" policytype="policy" msg="File reported infected by Sandbox." action="blocked" service="HTTPS" sessionid=28695 srcip=192.168.1.110 dstip=209.52.38.145 srcport=52741 dstport=443 srccountry="Reserved" dstcountry="Canada" srcintf="internal1" srcintfrole="undefined" dstintf="wan1" dstintfrole="wan" srcuuid="a051eeb2-5284-51ee-99d0-d8b19cb7439d" dstuuid="6c43f8d6-478a-51ee-95d8-31177232e869" proto=6 direction="incoming" filename="windows.exe" checksum="c1fa1de7" quarskip="No-skip" virus="FSA/RISK_HIGH" viruscat="Virus" dtype="fortisandbox" ref="http://www.fortinet.com/ve?vn=FSA%2FRISK_HIGH" virusid=8 url="https://filegen.fortinet.com/v1/sandbox-file?file_name=windows.exe&s=ftnt*123" profile="default" agent="Chrome/118.0.0.0" analyticscksum="8f6392d051fa38e79d66bafed67ce8a1f907b7a9d376b1e270cea2647c2aa3c5" analyticssubmit="true" crscore=30 craction=2 crlevel="high" rawdata="Method=GET|Response-Content-Type=application/octet-stream|user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
-