Exempt list for files based on individual hash
The antivirus exempt list allows users to exempt known safe files that happen to be incorrectly classified as malicious by the AV signature and AV engine scan. Users can specify file hashes in MD5, SHA1, or SHA256 for matching, which are applied at a per-VDOM level. When matched, the FortiGate ignores the AV scan verdict so that the corresponding UTM behavior defined in the AV profile is not performed.
config antivirus exempt-list
edit <name>
set hash-type {md5 | sha1 | sha256}
set hash <string>
set status {enable | disable}
next
end
|
The exempt list does not apply to results from outbreak prevention, machine learning, FortiNDR, or FortiSandbox inline scans. |
In this example, an antivirus exempt list is configured for the EICAR anti-malware test file. Although the antivirus profile is configured to block HTTP, the client is able to download the file.
To configure an antivirus exempt list:
-
Configure the antivirus profile:
config antivirus profile edit "av" set feature-set proxy config http set av-scan block end next end -
Configure the antivirus exempt list:
config antivirus exempt-list edit "test-hash" set comment "eicar.com" set hash-type md5 set hash "44d88612fea8a8f36de82e1278abb02f" set status enable next end -
Get a client to access https://www.eicar.com/ and download the anti-malware test file.
The FortiGate exempts the AV scan verdict and bypasses the file. The client can download the file and no replacement message is displayed.