Fortinet black logo

Administration Guide

Configuring antivirus profiles, file signatures, and antivirus action profiles

Configuring antivirus profiles, file signatures, and antivirus action profiles

The AntiVirus submenu lets you configure antivirus profiles and related action profiles. See the following topics for details:

Managing antivirus profiles

Go to Profile > AntiVirus > AntiVirus to create antivirus profiles that you can select in a policy in order to scan email for viruses.

The FortiMail unit scans email header, body, and attachments (including compressed files, such as ZIP, PKZIP, LHA, ARJ, and RAR files) for virus infections. If the FortiMail unit detects a virus, it will take actions as you define in the antivirus action profiles. For details, see Configuring antivirus action profiles.

FortiMail keeps its antivirus scan engine and virus signature database up-to-date by connecting to Fortinet FortiGuard Distribution Network (FDN) antivirus services. For details, see Configuring centralized administration.

To configure an antivirus profile
  1. Go to Profile > AntiVirus > AntiVirus.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. A dialog appears.

  4. Click the arrows to expand each section as needed and configure the following:

GUI item

Description

Domain

For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a specific protected domain. You can see only the domains that are permitted by your administrator profile.

Profile name

For a new profile, type its name. The profile name is editable later.

Default action

Select an action profile or create a new action profile. See Configuring antivirus action profiles.

AntiVirus

Enable to perform antivirus scanning.

Malware/virus Outbreak

Instead of using virus signatures, malware outbreak protection uses data analytic from the FortiGuard Service. For example, if a threshold volume of previously unknown attachments are being sent from known malicious sources, they are treated as suspicious viruses.

This feature can help quickly identify new threats.

Because the infected email is treated as virus, the virus replacement message will be used, if the replacement action is triggered.

Heuristic

Enable to use realtime malware analysis, or heuristic antivirus scan, when performing antivirus scanning.

File signature check

Enable to scan for file signatures. For details, see Adding file signatures.

Grayware

Enable to scan for grayware, such as mail bomb detection.

FortiNDR

Enable this option to send potentially harmful attachments, such as executables, PDF, and OCX files, to FortiNDR for further malware analysis. For details about FortiNDR configuration, see Using FortiNDR malware inspection.

Malicious/Virus

High risk

Medium risk

Low risk

Specify the action to take if the FortiNDR analysis determines that the email messages have malware or other threat qualities. You can specify different actions according to the threat levels.

FortiSandbox

Enable this option to send potentially harmful attachments, such as executables, PDF, and OCX files, to FortiSandbox for further analysis. For details about FortiSandbox configuration, see Using FortiSandbox antivirus inspection.

Scan mode

Submit and wait for result means to wait for scan results before delivering the email.

Submit only means to submit the email to FortiSandbox but still deliver the mail without waiting for scan results.

Attachment analysis

Enable to send email attachments to FortiSandbox.

If desired, configure different actions for different scan results.

Malicious/Virus

High risk

Medium risk

Low risk

No Result

Specify the action to take if the FortiSandbox analysis determines that the email messages have virus or other threat qualities. You can specify different actions according to the threat levels.

URL analysis

Enable to send the URLs to FortiSandbox.

If desired, configure different actions for different scan results.

Malicious/Virus

High risk

Medium risk

Low risk

No Result

Specify the action to take if the FortiSandbox analysis determines that the email messages have virus or other threat qualities. You can specify different actions according to the threat levels.

Adding file signatures

If you already have the SHA-1/SHA-256 (Secure Hash Algorithm) hash values of some known virus-infected files, you can add these values as file signatures and then, in the antivirus profile, enable the actions against these files. See Configuring antivirus profiles, file signatures, and antivirus action profiles.

You can manually add the SHA-1/256 checksums one by one. You can also import such a checksum list in csv or txt format. The signatures can be exported as a csv file.

Because not all attachment files are virus carriers, FortiMail file signature check only supports the following file types: .7z, .bat, .cab, .dll, .doc, .docm, .docx, .dotm, exe, .gz, .hta, .inf, .jar, .js, .jse, .msi, .msp, pdf, .pif, .potm, .ppam, .ppsm, .ppt, .pptm, .pptx, .reg, .scr, .sldm, .swf, .tar, .vbe, .ws, .wsc, .wsf, .wsh, .xlam, .xls, .xlsm, .xlsx, .xltm, .Z, and .zip files.

To add a new file signature
  1. Go to Profile > AntiVirus > File Signature and click New.
  2. Enter a name fo the signature group.
  3. Select either SHA-1 or SHA-256.
  4. Under File Signature List, click New and then enter the checksum value.
  5. Click OK and then Create.
To import a signature list in cvs format
  1. Go to Profile > AntiVirus > File Signature and select a signature profile and click Import.
  2. Browse to the cvs file and click OK. The cvs file must contain the hash values, and the type must be SHA1 or SHA256. The list will be imported into the profile.
To export the file signatures
  1. Go to Profile > AntiVirus > File Signature. Select a signature profile and click Export.
  2. Click Save File to save the file in cvs format to your local machine.

Configuring antivirus action profiles

Go to Profile > AntiVirus > Action to define one or more actions that the FortiMail unit should do if the antivirus profile determines that an email is infected by viruses.

To view and configure antivirus action profiles
  1. Go to Profile > AntiVirus > Action.
  2. GUI item

    Description

    Domain

    (drop-down list)

    Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

    Profile Name

    Displays the name of the profile.

    Domain

    (column)

    Displays either System or a domain name.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click an existing profile to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Domain

    Select if the action profile will be system-wide or domain-wide.

    You can see only the domains that are permitted by your administrator profile.

    Profile name

    For a new profile, enter a name.

    Tag subject

    Enable and enter the text that appears in the subject line of the email, such as [virus], in the With value field. The FortiMail unit will prepend this text to the subject line of spam before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.

    Insert header

    Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client.

    Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter:

    X-Custom-Header: Detected as virus by profile 22.

    If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key.

    Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822.

    Starting from 6.0.1 release, you can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value.

    Insert disclaimer

    Starting from 6.0.1 release, you can insert disclaimer as an action.

    You can modify the default discaimer or add new disclaimers by going to System > Customization > Custom Message > Email Content Resources > Disclaimer insertion message.

    Deliver to alternate host

    Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.

    You can choose to deliver the original email or the modified email.

    Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail.

    Deliver to original host

    Enable to route the email back to its original source destination.

    BCC

    Enable to send a blind carbon copy (BCC) of the email.

    You can specify an Envelope from address so that, in the case the email is not deliverable and bounced back, it will be returned to the specified envelope from address, instead of the original sender. This is helpful when you want to use a specific email to collect bounce notifications.

    Click New to add BCC recipients.

    Replace infected/suspicious body or attachment(s)

    Replaces the infected file with a replacement message that notifies the email user the infected file was removed.

    • For malware outbreak scan, virus replacement messages will be used.
    • For FortiSanbox scan, virus replacement messages will be used.
    • For heuristic scan, suspicious replacement messages will be used.

    You can customize replacement messages. For more information, see Customizing GUI, custom messages, email templates, SSO, and Security Fabric.

    Remove URL detected by FortiSandbox

    Removes suspicious URLs from email, as detected by ForttiSandox.

    Archive to account

    Redirect email to a specified archive account.

    Notify with profile

    Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.

    Final action

    Select one of the following actions:

    • Discard: Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

    • Reject: Enable to reject the email and reply to the SMTP client with SMTP reply code 550.
      However, if email messages are held for FortiGuard spam outbreak protection or FortiGuard virus outbreak protection, or sent to FortiSandbox, the actual action will fallback to "system quarantine".

    • System quarantine: Enable to redirect email to the system quarantine. For more information, see Managing the system quarantine.You can choose to quarantine the original email or the modified email.

    • Domain quarantine: Enable to redirect email to the domain quarantine folder. For more information, see Managing the domain quarantines.

    • Rewrite recipient email address: Enable to change the recipient address of any infected email message.

      Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either:

      • None: No change.
      • Prefix: Prepend the part with text that you have entered in the With field.
      • Suffix: Append the part with the text you have entered in the With field.
      • Replace: Substitute the part with the text you have entered in the With field.
    • Repackage email with cusotmized content: Enable to forward the infected email as an attachment with the customized email body that you define in the custom email template. For example, in the template, you may want to say “The attached email is infected by a virus”. For details, see Customizing email templates.

    • Repackage email with original text content: Enable to forward the infected email as an attachment but the original email body will still be used without modification.

Configuring antivirus profiles, file signatures, and antivirus action profiles

The AntiVirus submenu lets you configure antivirus profiles and related action profiles. See the following topics for details:

Managing antivirus profiles

Go to Profile > AntiVirus > AntiVirus to create antivirus profiles that you can select in a policy in order to scan email for viruses.

The FortiMail unit scans email header, body, and attachments (including compressed files, such as ZIP, PKZIP, LHA, ARJ, and RAR files) for virus infections. If the FortiMail unit detects a virus, it will take actions as you define in the antivirus action profiles. For details, see Configuring antivirus action profiles.

FortiMail keeps its antivirus scan engine and virus signature database up-to-date by connecting to Fortinet FortiGuard Distribution Network (FDN) antivirus services. For details, see Configuring centralized administration.

To configure an antivirus profile
  1. Go to Profile > AntiVirus > AntiVirus.
  2. Either click New to add a profile or double-click a profile to modify it.
  3. A dialog appears.

  4. Click the arrows to expand each section as needed and configure the following:

GUI item

Description

Domain

For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a specific protected domain. You can see only the domains that are permitted by your administrator profile.

Profile name

For a new profile, type its name. The profile name is editable later.

Default action

Select an action profile or create a new action profile. See Configuring antivirus action profiles.

AntiVirus

Enable to perform antivirus scanning.

Malware/virus Outbreak

Instead of using virus signatures, malware outbreak protection uses data analytic from the FortiGuard Service. For example, if a threshold volume of previously unknown attachments are being sent from known malicious sources, they are treated as suspicious viruses.

This feature can help quickly identify new threats.

Because the infected email is treated as virus, the virus replacement message will be used, if the replacement action is triggered.

Heuristic

Enable to use realtime malware analysis, or heuristic antivirus scan, when performing antivirus scanning.

File signature check

Enable to scan for file signatures. For details, see Adding file signatures.

Grayware

Enable to scan for grayware, such as mail bomb detection.

FortiNDR

Enable this option to send potentially harmful attachments, such as executables, PDF, and OCX files, to FortiNDR for further malware analysis. For details about FortiNDR configuration, see Using FortiNDR malware inspection.

Malicious/Virus

High risk

Medium risk

Low risk

Specify the action to take if the FortiNDR analysis determines that the email messages have malware or other threat qualities. You can specify different actions according to the threat levels.

FortiSandbox

Enable this option to send potentially harmful attachments, such as executables, PDF, and OCX files, to FortiSandbox for further analysis. For details about FortiSandbox configuration, see Using FortiSandbox antivirus inspection.

Scan mode

Submit and wait for result means to wait for scan results before delivering the email.

Submit only means to submit the email to FortiSandbox but still deliver the mail without waiting for scan results.

Attachment analysis

Enable to send email attachments to FortiSandbox.

If desired, configure different actions for different scan results.

Malicious/Virus

High risk

Medium risk

Low risk

No Result

Specify the action to take if the FortiSandbox analysis determines that the email messages have virus or other threat qualities. You can specify different actions according to the threat levels.

URL analysis

Enable to send the URLs to FortiSandbox.

If desired, configure different actions for different scan results.

Malicious/Virus

High risk

Medium risk

Low risk

No Result

Specify the action to take if the FortiSandbox analysis determines that the email messages have virus or other threat qualities. You can specify different actions according to the threat levels.

Adding file signatures

If you already have the SHA-1/SHA-256 (Secure Hash Algorithm) hash values of some known virus-infected files, you can add these values as file signatures and then, in the antivirus profile, enable the actions against these files. See Configuring antivirus profiles, file signatures, and antivirus action profiles.

You can manually add the SHA-1/256 checksums one by one. You can also import such a checksum list in csv or txt format. The signatures can be exported as a csv file.

Because not all attachment files are virus carriers, FortiMail file signature check only supports the following file types: .7z, .bat, .cab, .dll, .doc, .docm, .docx, .dotm, exe, .gz, .hta, .inf, .jar, .js, .jse, .msi, .msp, pdf, .pif, .potm, .ppam, .ppsm, .ppt, .pptm, .pptx, .reg, .scr, .sldm, .swf, .tar, .vbe, .ws, .wsc, .wsf, .wsh, .xlam, .xls, .xlsm, .xlsx, .xltm, .Z, and .zip files.

To add a new file signature
  1. Go to Profile > AntiVirus > File Signature and click New.
  2. Enter a name fo the signature group.
  3. Select either SHA-1 or SHA-256.
  4. Under File Signature List, click New and then enter the checksum value.
  5. Click OK and then Create.
To import a signature list in cvs format
  1. Go to Profile > AntiVirus > File Signature and select a signature profile and click Import.
  2. Browse to the cvs file and click OK. The cvs file must contain the hash values, and the type must be SHA1 or SHA256. The list will be imported into the profile.
To export the file signatures
  1. Go to Profile > AntiVirus > File Signature. Select a signature profile and click Export.
  2. Click Save File to save the file in cvs format to your local machine.

Configuring antivirus action profiles

Go to Profile > AntiVirus > Action to define one or more actions that the FortiMail unit should do if the antivirus profile determines that an email is infected by viruses.

To view and configure antivirus action profiles
  1. Go to Profile > AntiVirus > Action.
  2. GUI item

    Description

    Domain

    (drop-down list)

    Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile.

    Profile Name

    Displays the name of the profile.

    Domain

    (column)

    Displays either System or a domain name.

    (Green dot in column heading)

    Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted.

  3. Either click New to add a profile or double-click an existing profile to modify it.
  4. A dialog appears.

  5. Configure the following:
  6. GUI item

    Description

    Domain

    Select if the action profile will be system-wide or domain-wide.

    You can see only the domains that are permitted by your administrator profile.

    Profile name

    For a new profile, enter a name.

    Tag subject

    Enable and enter the text that appears in the subject line of the email, such as [virus], in the With value field. The FortiMail unit will prepend this text to the subject line of spam before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.

    Insert header

    Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.

    Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client.

    Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter:

    X-Custom-Header: Detected as virus by profile 22.

    If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key.

    Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822.

    Starting from 6.0.1 release, you can add multiple headers by adding them to the header table. You can also insert the predefined variables to the header value.

    Insert disclaimer

    Starting from 6.0.1 release, you can insert disclaimer as an action.

    You can modify the default discaimer or add new disclaimers by going to System > Customization > Custom Message > Email Content Resources > Disclaimer insertion message.

    Deliver to alternate host

    Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.

    You can choose to deliver the original email or the modified email.

    Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail.

    Deliver to original host

    Enable to route the email back to its original source destination.

    BCC

    Enable to send a blind carbon copy (BCC) of the email.

    You can specify an Envelope from address so that, in the case the email is not deliverable and bounced back, it will be returned to the specified envelope from address, instead of the original sender. This is helpful when you want to use a specific email to collect bounce notifications.

    Click New to add BCC recipients.

    Replace infected/suspicious body or attachment(s)

    Replaces the infected file with a replacement message that notifies the email user the infected file was removed.

    • For malware outbreak scan, virus replacement messages will be used.
    • For FortiSanbox scan, virus replacement messages will be used.
    • For heuristic scan, suspicious replacement messages will be used.

    You can customize replacement messages. For more information, see Customizing GUI, custom messages, email templates, SSO, and Security Fabric.

    Remove URL detected by FortiSandbox

    Removes suspicious URLs from email, as detected by ForttiSandox.

    Archive to account

    Redirect email to a specified archive account.

    Notify with profile

    Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see Configuring notification profiles and Customizing email templates.

    Final action

    Select one of the following actions:

    • Discard: Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client.

    • Reject: Enable to reject the email and reply to the SMTP client with SMTP reply code 550.
      However, if email messages are held for FortiGuard spam outbreak protection or FortiGuard virus outbreak protection, or sent to FortiSandbox, the actual action will fallback to "system quarantine".

    • System quarantine: Enable to redirect email to the system quarantine. For more information, see Managing the system quarantine.You can choose to quarantine the original email or the modified email.

    • Domain quarantine: Enable to redirect email to the domain quarantine folder. For more information, see Managing the domain quarantines.

    • Rewrite recipient email address: Enable to change the recipient address of any infected email message.

      Configure rewrites separately for the local-part (the portion of the email address before the '@' symbol, typically a user name) and the domain part (the portion of the email address after the '@' symbol). For each part, select either:

      • None: No change.
      • Prefix: Prepend the part with text that you have entered in the With field.
      • Suffix: Append the part with the text you have entered in the With field.
      • Replace: Substitute the part with the text you have entered in the With field.
    • Repackage email with cusotmized content: Enable to forward the infected email as an attachment with the customized email body that you define in the custom email template. For example, in the template, you may want to say “The attached email is infected by a virus”. For details, see Customizing email templates.

    • Repackage email with original text content: Enable to forward the infected email as an attachment but the original email body will still be used without modification.