Fortinet black logo

Administration Guide

Malware threat feed from EMS

Malware threat feed from EMS

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. This feature is supported in proxy and flow mode.

Note

If an external malware blocklist and the FortiGuard outbreak prevention database are also enabled in the antivirus profile, the checking order is: AV local database, EMS threat feed, external malware blocklist, FortiGuard outbreak prevention database. If the EMS threat feed and external malware blocklist contain the same hash value, then the EMS infection will be reported if both of them are blocked.

To configure an EMS threat feed in an antivirus profile in the GUI:
  1. Enable the EMS threat feed:
    1. Go to Security Fabric > Fabric Connectors and double-click the FortiClient EMS card.
    2. Enable EMS threat feed.
    3. Configure the other settings if needed (see Configuring FortiClient EMS for more details).
    4. Click OK.
  2. Create the antivirus profile:
    1. Go to Security Profiles > AntiVirus and click Create New.
    2. In the Virus Outbreak Prevention section, enable Use EMS threat feed.
    3. Configure the other settings as needed.

    4. Click OK.
To configure an EMS threat feed in an antivirus profile in the CLI:
  1. Enable the EMS threat feed:
    config endpoint-control fctems
        edit "WIN10-EMS"
            set fortinetone-cloud-authentication disable
            set server "192.168.20.10"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            unset capabilities
            set call-timeout 30
            set websocket-override disable
        next
    end
  2. Create the antivirus profile:
    config antivirus profile
        edit "av"
            config http
                set av-scan block
            end
            config ftp
                set av-scan block
            end
            config imap
                set av-scan block
            end
            config pop3
                set av-scan block
            end
            config smtp
                set av-scan block
            end
            config cifs
                set av-scan block
            end
            set external-blocklist-enable-all enable
            set ems-threat-feed enable
        next
    end
Sample log
# execute log filter category utm-virus
# execute log display
1: date=2021-03-19 time=16:06:46 eventtime=1616195207055607417 tz="-0700" logid="0208008217" type="utm" subtype="virus" eventtype="ems-threat-feed" level="notice" vd="vd1" policyid=1 msg="Detected by EMS threat feed." action="monitored" service="HTTPS" sessionid=1005 srcip=10.1.100.24 dstip=172.16.200.214 srcport=54674 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 direction="incoming" filename="creditcardSSN.pdf" quarskip="Quarantine-disabled" virus="Email scan" dtype="File Hash" filehash="22466078c2d52dfd5ebbbd6c4207ddec6ac61aa82f960dc54cfbc83b8eb42ed1" filehashsrc="test" url="https://172.16.200.214/hash/creditcardSSN.pdf" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
2: date=2021-03-19 time=16:06:13 eventtime=1616195173832494609 tz="-0700" logid="0208008216" type="utm" subtype="virus" eventtype="ems-threat-feed" level="warning" vd="vd1" policyid=1 msg="Blocked by EMS threat feed." action="blocked" service="HTTPS" sessionid=898 srcip=10.1.100.24 dstip=172.16.200.214 srcport=54672 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 direction="incoming" filename="BouncingButton.pdf" quarskip="Quarantine-disabled" virus="Email scan" dtype="File Hash" filehash="a601431acd5004c37bf8fd02fccfdacbb54b27c8648d1d41ad14fa3eaf8651d3" filehashsrc="test" url="https://172.16.200.214/hash/BouncingButton.pdf" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"

Malware threat feed from EMS

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. This feature is supported in proxy and flow mode.

Note

If an external malware blocklist and the FortiGuard outbreak prevention database are also enabled in the antivirus profile, the checking order is: AV local database, EMS threat feed, external malware blocklist, FortiGuard outbreak prevention database. If the EMS threat feed and external malware blocklist contain the same hash value, then the EMS infection will be reported if both of them are blocked.

To configure an EMS threat feed in an antivirus profile in the GUI:
  1. Enable the EMS threat feed:
    1. Go to Security Fabric > Fabric Connectors and double-click the FortiClient EMS card.
    2. Enable EMS threat feed.
    3. Configure the other settings if needed (see Configuring FortiClient EMS for more details).
    4. Click OK.
  2. Create the antivirus profile:
    1. Go to Security Profiles > AntiVirus and click Create New.
    2. In the Virus Outbreak Prevention section, enable Use EMS threat feed.
    3. Configure the other settings as needed.

    4. Click OK.
To configure an EMS threat feed in an antivirus profile in the CLI:
  1. Enable the EMS threat feed:
    config endpoint-control fctems
        edit "WIN10-EMS"
            set fortinetone-cloud-authentication disable
            set server "192.168.20.10"
            set https-port 443
            set source-ip 0.0.0.0
            set pull-sysinfo enable
            set pull-vulnerabilities enable
            set pull-avatars enable
            set pull-tags enable
            set pull-malware-hash enable
            unset capabilities
            set call-timeout 30
            set websocket-override disable
        next
    end
  2. Create the antivirus profile:
    config antivirus profile
        edit "av"
            config http
                set av-scan block
            end
            config ftp
                set av-scan block
            end
            config imap
                set av-scan block
            end
            config pop3
                set av-scan block
            end
            config smtp
                set av-scan block
            end
            config cifs
                set av-scan block
            end
            set external-blocklist-enable-all enable
            set ems-threat-feed enable
        next
    end
Sample log
# execute log filter category utm-virus
# execute log display
1: date=2021-03-19 time=16:06:46 eventtime=1616195207055607417 tz="-0700" logid="0208008217" type="utm" subtype="virus" eventtype="ems-threat-feed" level="notice" vd="vd1" policyid=1 msg="Detected by EMS threat feed." action="monitored" service="HTTPS" sessionid=1005 srcip=10.1.100.24 dstip=172.16.200.214 srcport=54674 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 direction="incoming" filename="creditcardSSN.pdf" quarskip="Quarantine-disabled" virus="Email scan" dtype="File Hash" filehash="22466078c2d52dfd5ebbbd6c4207ddec6ac61aa82f960dc54cfbc83b8eb42ed1" filehashsrc="test" url="https://172.16.200.214/hash/creditcardSSN.pdf" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
2: date=2021-03-19 time=16:06:13 eventtime=1616195173832494609 tz="-0700" logid="0208008216" type="utm" subtype="virus" eventtype="ems-threat-feed" level="warning" vd="vd1" policyid=1 msg="Blocked by EMS threat feed." action="blocked" service="HTTPS" sessionid=898 srcip=10.1.100.24 dstip=172.16.200.214 srcport=54672 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 direction="incoming" filename="BouncingButton.pdf" quarskip="Quarantine-disabled" virus="Email scan" dtype="File Hash" filehash="a601431acd5004c37bf8fd02fccfdacbb54b27c8648d1d41ad14fa3eaf8651d3" filehashsrc="test" url="https://172.16.200.214/hash/BouncingButton.pdf" profile="av" agent="curl/7.68.0" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"