Fortinet black logo

Administration Guide

Antivirus techniques

Antivirus techniques

The security of digital systems is a top priority for organizations. A range of techniques and tools are employed to ensure the integrity and reliability of these systems.

The following table describes some of the industry standard techniques that are used for Antivirus protection, and if they can be configured in the GUI or CLI.

Technique

Description

GUI

CLI

Signature-based detection

Antivirus scan detects and compares malicious file against virus signatures database. The FortiGuard Antivirus Service uses content pattern recognition language (CPRL), which is more efficient and accurate than traditional signature-based detection methods.

Content Disarm and Reconstruction (CDR)

CDR sanitizes Office, OpenOffice, PDF, RTF, and XLSB files by removing active content, preserving only the text. See Content disarm and reconstruction for more information.

Virus Outbreak Prevention (VOS)

VOS enhances FortiGate's antivirus database with third-party malware hashes. It checks file hashes against FortiGuard's database. See Virus outbreak prevention for more information.

External Malware Block List

Users can add their own malware signatures to an external list. See External malware block list for more information.

EMS Threat Feed

FortiGate receives malware feeds from FortiClient EMS, which itself gathers detected malware hashes from FortiClients. See EMS threat feed for more information.

Behavior-based detection

Submit suspected malicious files to FortiSandbox for inspection. See Using FortiSandbox post-transfer scanning with antivirus and Using FortiSandbox inline scanning with antivirus for more information.

CIFS Scanning

File filtering and antivirus scanning on Common Internet File System (CIFS) traffic is supported. See CIFS support for more information.

Heuristic Analysis

Identify malicious files such as Windows Portable Executables (PEs) to combat zero-day attacks. See AI-based malware detection for more information.

AI/ML, behavioral, and human analysis

Helps identify, classify, and respond to threats.

See Using FortiNDR inline scanning with antivirus for more information.

See Configuring an antivirus profile and Testing an antivirus profile for more information.

Content disarm and reconstruction

Content disarm and reconstruction (CDR) allows the FortiGate to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction).

CDR is supported on HTTP, SMTP, POP3, and IMAP.

Note

HTTP GET is supported, but not HTTP POST.

SMTP splice and client-comfort mode are not supported.

CDR does not support flow-based inspection modes.

It allows network administrators to protect their users from malicious document files. See Content disarm and reconstruction for a configuration example.

Virus outbreak prevention

FortiGuard VOS allows the FortiGate antivirus database to be supplemented with third-party malware hash signatures curated by FortiGuard. This allows VOS to manage zero-day threats effectively. The hash signatures are obtained from FortiGuard's Global Threat Intelligence database. Any signature that is added to FortiGuard becomes immediately active, eliminating the need to wait for AVDB (antivirus database) update. The AVDB queries FortiGuard with the hash of a scanned file. If FortiGuard returns a match, the scanned file is deemed to be malicious. Enabling the AV engine scan is not required to use this feature.

FortiGuard VOS can be used in both proxy-based and flow-based policy inspections across all supported protocols.

Note

The FortiGate must be registered with a valid FortiGuard outbreak prevention license.

See FortiGuard outbreak prevention for a configuration example.

External malware block list

The external malware block list allows users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes. The FortiGate's antivirus database retrieves an external malware hash list from a remote server and polls the hash list every n minutes for updates. Enabling the AV engine scan is not required to use this feature.

The external malware block list can be used in both proxy-based and flow-based policy inspections, but it is not supported in AV quick scan mode.

Note that using different types of hashes simultaneously may slow down the performance of malware scanning. It is recommended to use one type of hash.

See External malware block list and Malware hash threat feed for more details and configuration examples.

EMS threat feed

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. This feature is supported in proxy and flow mode.

Note

If an external malware blocklist and the FortiGuard outbreak prevention database are also enabled in the antivirus profile, the checking order is: AV local database, EMS threat feed, external malware blocklist, FortiGuard outbreak prevention database. If the EMS threat feed and external malware blocklist contain the same hash value, then the EMS infection will be reported if both of them are blocked.

See Malware threat feed from EMS for more details and configuration examples.

AI-based malware detection

The AV Engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. Previously, this type of detection was handled by heuristics that analyzed file behavior. With AV Engine AI, the module is trained by FortiGuard AV against many malware samples to identify file features that make up the malware. The AV Engine AI package can be downloaded by FortiOS via FortiGuard on devices with an active AV subscription. The machine-learning-detection setting is enabled by default at a per-VDOM level. Files detected by the AV Engine AI are identified with the W32/AI.Pallas.Suspicious virus signature.

To configure machine learning-based malware detection:
config antivirus settings
     set machine-learning-detection {enable| monitor | disable}
end

FortiGuard provides several sample files to test the AV configuration on the FortiGate, which are available to download from https://www.fortiguard.com/sample-files. Test the AI-based malware detection feature by downloading AI Sample file. See Example 2: AI sample file.

Antivirus techniques

The security of digital systems is a top priority for organizations. A range of techniques and tools are employed to ensure the integrity and reliability of these systems.

The following table describes some of the industry standard techniques that are used for Antivirus protection, and if they can be configured in the GUI or CLI.

Technique

Description

GUI

CLI

Signature-based detection

Antivirus scan detects and compares malicious file against virus signatures database. The FortiGuard Antivirus Service uses content pattern recognition language (CPRL), which is more efficient and accurate than traditional signature-based detection methods.

Content Disarm and Reconstruction (CDR)

CDR sanitizes Office, OpenOffice, PDF, RTF, and XLSB files by removing active content, preserving only the text. See Content disarm and reconstruction for more information.

Virus Outbreak Prevention (VOS)

VOS enhances FortiGate's antivirus database with third-party malware hashes. It checks file hashes against FortiGuard's database. See Virus outbreak prevention for more information.

External Malware Block List

Users can add their own malware signatures to an external list. See External malware block list for more information.

EMS Threat Feed

FortiGate receives malware feeds from FortiClient EMS, which itself gathers detected malware hashes from FortiClients. See EMS threat feed for more information.

Behavior-based detection

Submit suspected malicious files to FortiSandbox for inspection. See Using FortiSandbox post-transfer scanning with antivirus and Using FortiSandbox inline scanning with antivirus for more information.

CIFS Scanning

File filtering and antivirus scanning on Common Internet File System (CIFS) traffic is supported. See CIFS support for more information.

Heuristic Analysis

Identify malicious files such as Windows Portable Executables (PEs) to combat zero-day attacks. See AI-based malware detection for more information.

AI/ML, behavioral, and human analysis

Helps identify, classify, and respond to threats.

See Using FortiNDR inline scanning with antivirus for more information.

See Configuring an antivirus profile and Testing an antivirus profile for more information.

Content disarm and reconstruction

Content disarm and reconstruction (CDR) allows the FortiGate to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction).

CDR is supported on HTTP, SMTP, POP3, and IMAP.

Note

HTTP GET is supported, but not HTTP POST.

SMTP splice and client-comfort mode are not supported.

CDR does not support flow-based inspection modes.

It allows network administrators to protect their users from malicious document files. See Content disarm and reconstruction for a configuration example.

Virus outbreak prevention

FortiGuard VOS allows the FortiGate antivirus database to be supplemented with third-party malware hash signatures curated by FortiGuard. This allows VOS to manage zero-day threats effectively. The hash signatures are obtained from FortiGuard's Global Threat Intelligence database. Any signature that is added to FortiGuard becomes immediately active, eliminating the need to wait for AVDB (antivirus database) update. The AVDB queries FortiGuard with the hash of a scanned file. If FortiGuard returns a match, the scanned file is deemed to be malicious. Enabling the AV engine scan is not required to use this feature.

FortiGuard VOS can be used in both proxy-based and flow-based policy inspections across all supported protocols.

Note

The FortiGate must be registered with a valid FortiGuard outbreak prevention license.

See FortiGuard outbreak prevention for a configuration example.

External malware block list

The external malware block list allows users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes. The FortiGate's antivirus database retrieves an external malware hash list from a remote server and polls the hash list every n minutes for updates. Enabling the AV engine scan is not required to use this feature.

The external malware block list can be used in both proxy-based and flow-based policy inspections, but it is not supported in AV quick scan mode.

Note that using different types of hashes simultaneously may slow down the performance of malware scanning. It is recommended to use one type of hash.

See External malware block list and Malware hash threat feed for more details and configuration examples.

EMS threat feed

A FortiGate can pull malware threat feeds from FortiClient EMS, which in turn receives malware hashes detected by FortiClients. The malware hash can be used in an antivirus profile when AV scanning is enabled with block or monitor actions. This feature is supported in proxy and flow mode.

Note

If an external malware blocklist and the FortiGuard outbreak prevention database are also enabled in the antivirus profile, the checking order is: AV local database, EMS threat feed, external malware blocklist, FortiGuard outbreak prevention database. If the EMS threat feed and external malware blocklist contain the same hash value, then the EMS infection will be reported if both of them are blocked.

See Malware threat feed from EMS for more details and configuration examples.

AI-based malware detection

The AV Engine AI malware detection model integrates into regular AV scanning to help detect potentially malicious Windows Portable Executables (PEs) in order to mitigate zero-day attacks. Previously, this type of detection was handled by heuristics that analyzed file behavior. With AV Engine AI, the module is trained by FortiGuard AV against many malware samples to identify file features that make up the malware. The AV Engine AI package can be downloaded by FortiOS via FortiGuard on devices with an active AV subscription. The machine-learning-detection setting is enabled by default at a per-VDOM level. Files detected by the AV Engine AI are identified with the W32/AI.Pallas.Suspicious virus signature.

To configure machine learning-based malware detection:
config antivirus settings
     set machine-learning-detection {enable| monitor | disable}
end

FortiGuard provides several sample files to test the AV configuration on the FortiGate, which are available to download from https://www.fortiguard.com/sample-files. Test the AI-based malware detection feature by downloading AI Sample file. See Example 2: AI sample file.