Fortinet black logo

Administration Guide

Exempt list for files based on individual hash

The antivirus exempt list allows users to exempt known safe files that happen to be incorrectly classified as malicious by the AV signature and AV engine scan. Users can specify file hashes in MD5, SHA1, or SHA256 for matching, which are applied at a per-VDOM level. When matched, the FortiGate ignores the AV scan verdict so that the corresponding UTM behavior defined in the AV profile is not performed.

config antivirus exempt-list
    edit <name> 
        set hash-type {md5 | sha1 | sha256}
        set hash <string>
        set status {enable | disable}
    next
end
Note

The exempt list does not apply to results from outbreak prevention, machine learning, FortiNDR, or FortiSandbox inline scans.

In this example, an antivirus exempt list is configured for the EICAR anti-malware test file. Although the antivirus profile is configured to block HTTP, the client is able to download the file.

To configure an antivirus exempt list:
  1. Configure the antivirus profile:

    config antivirus profile
        edit "av"
            set feature-set proxy
            config http
                set av-scan block
            end
        next
    end
  2. Configure the antivirus exempt list:

    config antivirus exempt-list
        edit "test-hash"
            set comment "eicar.com"
            set hash-type md5
            set hash "44d88612fea8a8f36de82e1278abb02f"
            set status enable
        next
    end
  3. Get a client to access https://www.eicar.com/ and download the anti-malware test file.

    The FortiGate exempts the AV scan verdict and bypasses the file. The client can download the file and no replacement message is displayed.

The antivirus exempt list allows users to exempt known safe files that happen to be incorrectly classified as malicious by the AV signature and AV engine scan. Users can specify file hashes in MD5, SHA1, or SHA256 for matching, which are applied at a per-VDOM level. When matched, the FortiGate ignores the AV scan verdict so that the corresponding UTM behavior defined in the AV profile is not performed.

config antivirus exempt-list
    edit <name> 
        set hash-type {md5 | sha1 | sha256}
        set hash <string>
        set status {enable | disable}
    next
end
Note

The exempt list does not apply to results from outbreak prevention, machine learning, FortiNDR, or FortiSandbox inline scans.

In this example, an antivirus exempt list is configured for the EICAR anti-malware test file. Although the antivirus profile is configured to block HTTP, the client is able to download the file.

To configure an antivirus exempt list:
  1. Configure the antivirus profile:

    config antivirus profile
        edit "av"
            set feature-set proxy
            config http
                set av-scan block
            end
        next
    end
  2. Configure the antivirus exempt list:

    config antivirus exempt-list
        edit "test-hash"
            set comment "eicar.com"
            set hash-type md5
            set hash "44d88612fea8a8f36de82e1278abb02f"
            set status enable
        next
    end
  3. Get a client to access https://www.eicar.com/ and download the anti-malware test file.

    The FortiGate exempts the AV scan verdict and bypasses the file. The client can download the file and no replacement message is displayed.