Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

profile antivirus

Use this command to create antivirus profiles that you can select in a policy in order to scan email for viruses.

The FortiMail unit scans email header, body, and attachments (including compressed files, such as ZIP, PKZIP, LHA, ARJ, and RAR files) for virus infections. If the FortiMail unit detects a virus, it will take actions as you define in the antivirus action profiles.

Syntax

config profile antivirus

edit <profile_name>

set action-default { predefined_av_discard | predefined_av_reject}

set action-file-signature

set action-heuristic {predefined_av_discard | predefined_av_reject}

set action-outbreak <action>

set action-sandbox-high <action>

set action-sandbox-low <action>

set action-sandbox-medium <action>

set action-sandbox-noresult <action>

set action-sandbox-uri-high <action>

set action-sandbox-uri-low <action>

set action-sandbox-uri-medium <action>

set action-sandbox-uri-noresult <action>

set action-sandbox-uri-virus <action>

set action-sandbox-virus <action>

set file-signature-check {enable | disable}

set grayware-scan {enable | disable}

set heuristic {enable | disable}

set malware-outbreak-protection {enable | disable}

set sandbox-analysis {enable | disable}

set sandbox-analysis-uri{enable | disable}

set sandbox-scan-mode {submit-and-wait | submit-only}

set scanner {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

 

action-default
{ predefined_av_discard | predefined_av_reject}

Type a predefined antivirus action.

predefined_av_discard: Accept infected email, but then delete it instead of delivering the email, without notifying the SMTP client.

predefined_av_reject: Reject infected email and reply to the SMTP client with SMTP reply code 550.

 

action-file-signature

Type a predefined scan for file signature action.

predefined_av_discard:

predefined_av_reject:

 

action-heuristic {predefined_av_discard | predefined_av_reject}

Type a predefined heuristic scanning action on infected email.

predefined_av_discard: Accept email suspected to be infected, but then delete it instead of delivering the email, without notifying the SMTP client.

predefined_av_reject: Reject email suspected to be infected, and reply to the SMTP client with SMTP reply code 550.

 

action-outbreak <action>

Type to determine the action to take if the FortiSandbox analysis determines that the email message has an outbreak.

 

action-sandbox-high <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages have high probability of viruses or other threat qualities.

default

action-sandbox-low <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages have low probability of viruses or other threat qualities.

default

action-sandbox-medium <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages have medium probability of viruses or other threat qualities.

default

action-sandbox-noresult <action>

Type to determine the action to take if the FortiSandbox attachment analysis returns no results.

None

action-sandbox-uri-high <action>

Type to determine the action to take if the FortiSandbox URI analysis determines that the email messages have high probability of viruses or other threat qualities.

default

action-sandbox-uri-low <action>

Type to determine the action to take if the FortiSandbox URI analysis determines that the email messages have low probability of viruses or other threat qualities.

default

action-sandbox-uri-medium <action>

Type to determine the action to take if the FortiSandbox URI determines that the email messages have medium probability of viruses or other threat qualities.

default

action-sandbox-uri-virus <action>

Type to determine the action to take if the FortiSandbox URI analysis determines that the email messages definitely have viruses or other threat qualities.

default

action-sandbox-uri-noresult <action>

Type to determine the action to take if the FortiSandbox URI analysis returns no results.

None

action-sandbox-virus <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages definitely have viruses or other threat qualities.

default

file-signature-check {enable | disable}

Enable to scan for file signatures.

disable

grayware-scan {enable | disable}

Enable to scan for grayware as well when performing antivirus scanning.

enable

heuristic {enable | disable}

Enable to use heuristics when performing antivirus scanning.

enable

malware-outbreak-protection {enable | disable}

Instead of using virus signatures, malware outbreak protection uses data analytics from the FortiGuard Service. For example, if a threshold volume of previously unknown attachments are being sent from known malicious sources, they are treated as suspicious viruses.

This feature can help quickly identify new threats.

Because the infected email is treated as virus, the virus replacement message will be used, if the replacement action is triggered.

 

sandbox-analysis {enable | disable}

Enable to send suspicious email attachments to FortiSandbox for inspection. For details about FortiSandbox, see system fortisandbox.

disable

sandbox-analysis-uri{enable | disable}

Enable or disable sending suspicious attachment content to FortiSandbox for analysis.

disable

sandbox-scan-mode {submit-and-wait | submit-only}

Edits how the email is handled by the FortiSandbox

submit-and-wait

scanner {enable | disable}

Enable to perform antivirus scanning for this profile.

disable

Related topics

profile antispam

profile antivirus

Use this command to create antivirus profiles that you can select in a policy in order to scan email for viruses.

The FortiMail unit scans email header, body, and attachments (including compressed files, such as ZIP, PKZIP, LHA, ARJ, and RAR files) for virus infections. If the FortiMail unit detects a virus, it will take actions as you define in the antivirus action profiles.

Syntax

config profile antivirus

edit <profile_name>

set action-default { predefined_av_discard | predefined_av_reject}

set action-file-signature

set action-heuristic {predefined_av_discard | predefined_av_reject}

set action-outbreak <action>

set action-sandbox-high <action>

set action-sandbox-low <action>

set action-sandbox-medium <action>

set action-sandbox-noresult <action>

set action-sandbox-uri-high <action>

set action-sandbox-uri-low <action>

set action-sandbox-uri-medium <action>

set action-sandbox-uri-noresult <action>

set action-sandbox-uri-virus <action>

set action-sandbox-virus <action>

set file-signature-check {enable | disable}

set grayware-scan {enable | disable}

set heuristic {enable | disable}

set malware-outbreak-protection {enable | disable}

set sandbox-analysis {enable | disable}

set sandbox-analysis-uri{enable | disable}

set sandbox-scan-mode {submit-and-wait | submit-only}

set scanner {enable | disable}

end

Variable

Description

Default

<profile_name>

Enter the name of the profile.

To view a list of existing entries, enter a question mark ( ? ).

 

action-default
{ predefined_av_discard | predefined_av_reject}

Type a predefined antivirus action.

predefined_av_discard: Accept infected email, but then delete it instead of delivering the email, without notifying the SMTP client.

predefined_av_reject: Reject infected email and reply to the SMTP client with SMTP reply code 550.

 

action-file-signature

Type a predefined scan for file signature action.

predefined_av_discard:

predefined_av_reject:

 

action-heuristic {predefined_av_discard | predefined_av_reject}

Type a predefined heuristic scanning action on infected email.

predefined_av_discard: Accept email suspected to be infected, but then delete it instead of delivering the email, without notifying the SMTP client.

predefined_av_reject: Reject email suspected to be infected, and reply to the SMTP client with SMTP reply code 550.

 

action-outbreak <action>

Type to determine the action to take if the FortiSandbox analysis determines that the email message has an outbreak.

 

action-sandbox-high <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages have high probability of viruses or other threat qualities.

default

action-sandbox-low <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages have low probability of viruses or other threat qualities.

default

action-sandbox-medium <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages have medium probability of viruses or other threat qualities.

default

action-sandbox-noresult <action>

Type to determine the action to take if the FortiSandbox attachment analysis returns no results.

None

action-sandbox-uri-high <action>

Type to determine the action to take if the FortiSandbox URI analysis determines that the email messages have high probability of viruses or other threat qualities.

default

action-sandbox-uri-low <action>

Type to determine the action to take if the FortiSandbox URI analysis determines that the email messages have low probability of viruses or other threat qualities.

default

action-sandbox-uri-medium <action>

Type to determine the action to take if the FortiSandbox URI determines that the email messages have medium probability of viruses or other threat qualities.

default

action-sandbox-uri-virus <action>

Type to determine the action to take if the FortiSandbox URI analysis determines that the email messages definitely have viruses or other threat qualities.

default

action-sandbox-uri-noresult <action>

Type to determine the action to take if the FortiSandbox URI analysis returns no results.

None

action-sandbox-virus <action>

Type to determine the action to take if the FortiSandbox attachment analysis determines that the email messages definitely have viruses or other threat qualities.

default

file-signature-check {enable | disable}

Enable to scan for file signatures.

disable

grayware-scan {enable | disable}

Enable to scan for grayware as well when performing antivirus scanning.

enable

heuristic {enable | disable}

Enable to use heuristics when performing antivirus scanning.

enable

malware-outbreak-protection {enable | disable}

Instead of using virus signatures, malware outbreak protection uses data analytics from the FortiGuard Service. For example, if a threshold volume of previously unknown attachments are being sent from known malicious sources, they are treated as suspicious viruses.

This feature can help quickly identify new threats.

Because the infected email is treated as virus, the virus replacement message will be used, if the replacement action is triggered.

 

sandbox-analysis {enable | disable}

Enable to send suspicious email attachments to FortiSandbox for inspection. For details about FortiSandbox, see system fortisandbox.

disable

sandbox-analysis-uri{enable | disable}

Enable or disable sending suspicious attachment content to FortiSandbox for analysis.

disable

sandbox-scan-mode {submit-and-wait | submit-only}

Edits how the email is handled by the FortiSandbox

submit-and-wait

scanner {enable | disable}

Enable to perform antivirus scanning for this profile.

disable

Related topics

profile antispam