Fortinet black logo

Administration Guide

Malware hash threat feed

Malware hash threat feed

A malware hash threat feed is a dynamic list that contains malware hashes and periodically updates from an external server. The list is stored in text file format on an external server. After the FortiGate imports this list, it is automatically used for virus outbreak prevention on antivirus profiles when Use external malware block list is enabled. Similar to FortiGuard outbreak prevention, the malware hash threat feed is not supported in AV quick scan mode.

Text file example:

292b2e6bb027cd4ff4d24e338f5c48de
dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl
3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl
c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-Ransom.Win32.Locky.abfl

The file contains one malware hash per line. See External resources file format for more information about the malware hash list formatting style.

Note

For optimal performance, do not mix different hashes in the list. Only use one MD5, SHA1, or SHA256.

Example configuration

In this example, a list of malware hashes is imported using the malware threat feed. The newly created threat feed is applied to an antivirus profile, and the antivirus profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches the malware hashes in the threat feed list will be dropped.

To configure a malware hash threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.
  3. Set the Name to AWS_Malware_Hash.
  4. Set the Update method to External Feed.
  5. Set the URL of external resource to https://s3.us-west-2.amazonaws.com/malware.txt.
  6. Configure the remaining settings as required, then click OK.
  7. Edit the connector, then click View Entries to view the hash list.

To configure a malware hash threat feed in the CLI:
config system external-resource
    edit "AWS_Malware_Hash"
        set type malware
        set resource "https://s3.us-west-2.amazonaws.com/malware.txt"
        set server-identity-check {none | basic | full}
    next
end
Note

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.

To apply a malware hash threat feed in an antivirus profile:
  1. Go to Security Profiles > AntiVirus and create a new web filter profile, or edit an existing one.
  2. Enable Use external malware block list.
  3. Click the + and select AWS_Malware_Hash from the list.

  4. Configure the remaining settings as needed, then click OK.
To apply the antivirus profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable AntiVirus and select the profile used in the previous procedure.

  4. Set SSL Inspection to deep-inspection to inspect HTTPS traffic.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To view the antivirus logs:
  1. Go to Log & Report > Security Events and select AntiVirus.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-03 time=15:42:41 eventtime=1675467761491047388 tz="-0800" logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=293915 srcip=172.20.120.13 dstip=192.168.10.13 srcport=53515 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 direction="incoming" filename="test.jpg" quarskip="Quarantine-disabled" virus="a1a74a39788854b75d454dc9c83c612b" viruscat="File Hash" dtype="external-blocklist" filehash="a1a74a39788854b75d454dc9c83c612b" filehashsrc="AWS_Malware_Hash" url="http://192.168.10.13/test.jpg" profile="default" agent="curl/7.55.1" httpmethod="GET" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
To verify the scanunit daemon:
# diagnose sys scanunit file-hash list 
malware 'a1a74a39788854b75d454dc9c83c612b' vf_id 0 uuid 15752 profile 'AWS_Malware_Hash' description ''

The list of external hashes has been updated.

Related Videos

sidebar video

External Dynamic Block List for Hashes

  • 8,909 views
  • 5 years ago

Malware hash threat feed

A malware hash threat feed is a dynamic list that contains malware hashes and periodically updates from an external server. The list is stored in text file format on an external server. After the FortiGate imports this list, it is automatically used for virus outbreak prevention on antivirus profiles when Use external malware block list is enabled. Similar to FortiGuard outbreak prevention, the malware hash threat feed is not supported in AV quick scan mode.

Text file example:

292b2e6bb027cd4ff4d24e338f5c48de
dda37961870ce079defbf185eeeef905 Trojan-Ransom.Win32.Locky.abfl
3fa86717650a17d075d856a41b3874265f8e9eab Trojan-Ransom.Win32.Locky.abfl
c35f705df9e475305c0984b05991d444450809c35dd1d96106bb8e7128b9082f Trojan-Ransom.Win32.Locky.abfl

The file contains one malware hash per line. See External resources file format for more information about the malware hash list formatting style.

Note

For optimal performance, do not mix different hashes in the list. Only use one MD5, SHA1, or SHA256.

Example configuration

In this example, a list of malware hashes is imported using the malware threat feed. The newly created threat feed is applied to an antivirus profile, and the antivirus profile is applied to a firewall policy. Any traffic that passes through the FortiGate and matches the malware hashes in the threat feed list will be dropped.

To configure a malware hash threat feed in the GUI:
  1. Go to Security Fabric > External Connectors and click Create New.
  2. In the Threat Feeds section, click Malware Hash.
  3. Set the Name to AWS_Malware_Hash.
  4. Set the Update method to External Feed.
  5. Set the URL of external resource to https://s3.us-west-2.amazonaws.com/malware.txt.
  6. Configure the remaining settings as required, then click OK.
  7. Edit the connector, then click View Entries to view the hash list.

To configure a malware hash threat feed in the CLI:
config system external-resource
    edit "AWS_Malware_Hash"
        set type malware
        set resource "https://s3.us-west-2.amazonaws.com/malware.txt"
        set server-identity-check {none | basic | full}
    next
end
Note

To improve the security of the connection, it is recommended to enable server certificate validation (server-identity-check) either in basic or full mode. By default, it is set to none.

To apply a malware hash threat feed in an antivirus profile:
  1. Go to Security Profiles > AntiVirus and create a new web filter profile, or edit an existing one.
  2. Enable Use external malware block list.
  3. Click the + and select AWS_Malware_Hash from the list.

  4. Configure the remaining settings as needed, then click OK.
To apply the antivirus profile in a firewall policy:
  1. Go to Policy & Objects > Firewall Policy and create a new policy, or edit an existing one.

  2. Configure the policy fields as required.

  3. Under Security Profiles, enable AntiVirus and select the profile used in the previous procedure.

  4. Set SSL Inspection to deep-inspection to inspect HTTPS traffic.

  5. Enable Log Allowed Traffic.

  6. Click OK.

To view the antivirus logs:
  1. Go to Log & Report > Security Events and select AntiVirus.

  2. View the log details in the GUI, or download the log file:

    1: date=2023-02-03 time=15:42:41 eventtime=1675467761491047388 tz="-0800" logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=293915 srcip=172.20.120.13 dstip=192.168.10.13 srcport=53515 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 direction="incoming" filename="test.jpg" quarskip="Quarantine-disabled" virus="a1a74a39788854b75d454dc9c83c612b" viruscat="File Hash" dtype="external-blocklist" filehash="a1a74a39788854b75d454dc9c83c612b" filehashsrc="AWS_Malware_Hash" url="http://192.168.10.13/test.jpg" profile="default" agent="curl/7.55.1" httpmethod="GET" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
To verify the scanunit daemon:
# diagnose sys scanunit file-hash list 
malware 'a1a74a39788854b75d454dc9c83c612b' vf_id 0 uuid 15752 profile 'AWS_Malware_Hash' description ''

The list of external hashes has been updated.