Fortinet white logo
Fortinet white logo

Administration Guide

Create or edit an antivirus profile

Create or edit an antivirus profile

Click Create New to open the Create AntiVirus Profile window.

Select an antivirus profile and then click Edit to open the Edit AntiVirus Profile window.

Configure the following settings in the Create AntiVirus Profile window and then click OK:

Name

Enter the name of the antivirus profile.

Comments

Optionally, enter a description of the profile.

Options

For each protocol, enable or disable antivirus scanning, blocking, and monitoring.

Outbreak Prevention

FortiGuard Virus Outbreak Protection Service (VOS) allows the FortiProxy antivirus database to be subsidized with third-party malware hash signatures curated by FortiGuard. The hash signatures are obtained from FortiGuard's Global Threat Intelligence database. The antivirus database queries FortiGuard with the hash of a scanned file. If FortiGuard returns a match, the scanned file is deemed to be malicious. Enabling the AV engine scan is not required to use this feature.

Scanning Files by FortiNDR Server

For each protocol, select to disable, block, or monitor.

Refer to Using FortiNDR inline scanning with antivirus for more details.

Note

This option is available only when a FortiNDR server is connected.

Content Disarm

Content disarm and reconstruction (CDR) allows the FortiProxy unit to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction). It allows network administrators to protect their users from malicious document files.

Files processed by CDR can be stored locally for quarantine on FortiAnalyzer, FortiSandbox, or FortiProxy models with a hard disk. The original copies can also be obtained in the event of a false positive.

CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and client-comfort mode are not supported.

Archive Block

For each protocol, select the file types to block.

Archive Log

For each protocol, select the file types to log.

Send Files to FortiSandbox Cloud for Inspection

If you want files to be inspected by FortiSandbox Cloud, select Suspicious or everything.

Refer to Using FortiSandbox post-transfer scanning with antivirus for more details.

Use FortiSandbox Database

Enable this option to use the FortiSandbox database.

Include Mobile Malware Protection

Enable this option to protect mobile devices from malware.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

Stream-based antivirus scan for FTP, SFTP, and SCP

Stream-based antivirus scanning is supported for FTP, SFTP, and SCP protocols.

  • Stream-based antivirus scanning optimizes memory usage for large archive files by decompressing the files on the fly and scanning the files as they are extracted.

  • File types can be determined after scanning a few KB, without buffering the entire file.

  • Viruses can be detected even if they are hiding in the middle or end of a large archive.

  • When scanning smaller files, traffic throughput is improved by scanning the files directly on the proxy based WAD daemon, without invoking scanunit.

Stream-based scanning is the default scan mode. To disable steam-based scanning, the scan mode can be set to legacy mode, and the archive will only be scanned after the entire file has been received.

To configure stream-based scan:
config antivirus profile
    edit <string>
        ...
        set scan-mode {default* | legacy}
        ...
    next
end

Configuring threat feed and outbreak prevention without AV engine scan

In the CLI, users can enable malware threat feeds and outbreak prevention without performing an antivirus scan. In the GUI and CLI, users can choose to use all malware thread feeds, or specify the ones that they want to use. Replacement messages have been updated for external block lists.

config antivirus profile
    edit <name>
        config http
            set av-scan {disable | block | monitor}
            set outbreak-prevention {disable | block | monitor}
            set external-blocklist {disable | block | monitor}
            set quarantine {enable | disable}
        end
        ...
        set outbreak-prevention-archive-scan {enable | disable}
        set external-blocklist-enable-all {enable | disable}
        set external-blocklist <source>
    next
end
To configure malware threat feeds and outbreak prevention without performing an AV scan in the CLI:
config antivirus profile
    edit "Demo"
        set mobile-malware-db enable
        config http
            set av-scan disable
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set content-disarm disable
        end
        config ftp
            set av-scan disable
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
        end
        config imap
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
            set content-disarm disable
        end
        config pop3
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
            set content-disarm disable
        end
        config smtp
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
            set content-disarm disable
        end
        config mapi
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
        end
        config nntp
            set av-scan disable
            set outbreak-prevention disable
            set external-blocklist disable
            set quarantine disable
            set emulator enable
        end
        config cifs
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
        end
        config ssh
            set av-scan disable
            set outbreak-prevention disable
            set external-blocklist disable
            set quarantine disable
            set emulator enable
        end
        set outbreak-prevention-archive-scan enable
        set external-blocklist-enable-all disable
        set external-blocklist "malhash1"
        set av-virus-log enable
        set av-block-log enable
        set extended-log disable
        set scan-mode default
    next
end

In this example, configuring the quarantine setting is done in each protocol (set quarantine). The malware threat feed is also specified (set external-blocklist-enable-all disable) to the threat connector, malhash1 (set external-blocklist "malhash1").

Content disarm and reconstruction for antivirus

Content disarm and reconstruction (CDR) allows the FortiProxy to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction). It allows network administrators to protect their users from malicious document files.

Files processed by CDR can be stored locally for quarantine on FortiAnalyzer, FortiSandbox, or FortiProxy models with a hard disk. The original copies can also be obtained in the event of a false positive.

CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and client-comfort mode are not supported.

Support and limitations

  • CDR can only be performed on Microsoft Office documents and PDF files.
  • Local Disk CDR quarantine is only possible on FortiProxy models that contain a hard disk.
  • CDR is only supported on HTTP, SMTP, POP3, IMAP.
    • SMTP splice and client-comfort mode is not supported.
  • CDR can only work on files in .ZIP type archives.

Configuring the feature

To configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and then fine tune the CDR detection parameters.

To configure CDR:
  1. Go to Security Profiles > AntiVirus.

  2. Edit an antivirus profile or create a new one.

  3. Under Content Disarm, enable the options that you want.

  4. Select a quarantine location from the available options:

    • FortiSandbox—Saves the original document file to a connected FortiSandbox.

    • File Quarantine—Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiProxy log settings (config log fortianalyzer setting).

    • Discard—The default setting, which discards the original document file.

  5. Select the action that is taken when an error occurs:
    • Block—Block file when there is a CDR error.
    • Log Only—Log the CDR error but allow the file to pass.
    • Ignore—When there is a CDR error, let the file pass but do not log the error.
  6. Click OK.
To edit the CDR detection parameters:

By default, stripping of all active Microsoft Office and PDF content types are enabled. In this example, stripping macros in Microsoft Office documents is disabled.

config antivirus profile

edit <antivirus_profile_name>

config content-disarm

set office-macro disable

set detect-only {enable | disable}

set cover-page {enable | disable}

set error-action {block | log-only | ignore}

end

next

end

Where:

detect-only

Only detect disarmable files, do not alter content. Disabled by default.

cover-page

Attach a cover page to the fileʼs content when the file has been processed by CDR. Enabled by default.

Create or edit an antivirus profile

Create or edit an antivirus profile

Click Create New to open the Create AntiVirus Profile window.

Select an antivirus profile and then click Edit to open the Edit AntiVirus Profile window.

Configure the following settings in the Create AntiVirus Profile window and then click OK:

Name

Enter the name of the antivirus profile.

Comments

Optionally, enter a description of the profile.

Options

For each protocol, enable or disable antivirus scanning, blocking, and monitoring.

Outbreak Prevention

FortiGuard Virus Outbreak Protection Service (VOS) allows the FortiProxy antivirus database to be subsidized with third-party malware hash signatures curated by FortiGuard. The hash signatures are obtained from FortiGuard's Global Threat Intelligence database. The antivirus database queries FortiGuard with the hash of a scanned file. If FortiGuard returns a match, the scanned file is deemed to be malicious. Enabling the AV engine scan is not required to use this feature.

Scanning Files by FortiNDR Server

For each protocol, select to disable, block, or monitor.

Refer to Using FortiNDR inline scanning with antivirus for more details.

Note

This option is available only when a FortiNDR server is connected.

Content Disarm

Content disarm and reconstruction (CDR) allows the FortiProxy unit to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction). It allows network administrators to protect their users from malicious document files.

Files processed by CDR can be stored locally for quarantine on FortiAnalyzer, FortiSandbox, or FortiProxy models with a hard disk. The original copies can also be obtained in the event of a false positive.

CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and client-comfort mode are not supported.

Archive Block

For each protocol, select the file types to block.

Archive Log

For each protocol, select the file types to log.

Send Files to FortiSandbox Cloud for Inspection

If you want files to be inspected by FortiSandbox Cloud, select Suspicious or everything.

Refer to Using FortiSandbox post-transfer scanning with antivirus for more details.

Use FortiSandbox Database

Enable this option to use the FortiSandbox database.

Include Mobile Malware Protection

Enable this option to protect mobile devices from malware.

API Preview

The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

To use the API Preview:
  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

Stream-based antivirus scan for FTP, SFTP, and SCP

Stream-based antivirus scanning is supported for FTP, SFTP, and SCP protocols.

  • Stream-based antivirus scanning optimizes memory usage for large archive files by decompressing the files on the fly and scanning the files as they are extracted.

  • File types can be determined after scanning a few KB, without buffering the entire file.

  • Viruses can be detected even if they are hiding in the middle or end of a large archive.

  • When scanning smaller files, traffic throughput is improved by scanning the files directly on the proxy based WAD daemon, without invoking scanunit.

Stream-based scanning is the default scan mode. To disable steam-based scanning, the scan mode can be set to legacy mode, and the archive will only be scanned after the entire file has been received.

To configure stream-based scan:
config antivirus profile
    edit <string>
        ...
        set scan-mode {default* | legacy}
        ...
    next
end

Configuring threat feed and outbreak prevention without AV engine scan

In the CLI, users can enable malware threat feeds and outbreak prevention without performing an antivirus scan. In the GUI and CLI, users can choose to use all malware thread feeds, or specify the ones that they want to use. Replacement messages have been updated for external block lists.

config antivirus profile
    edit <name>
        config http
            set av-scan {disable | block | monitor}
            set outbreak-prevention {disable | block | monitor}
            set external-blocklist {disable | block | monitor}
            set quarantine {enable | disable}
        end
        ...
        set outbreak-prevention-archive-scan {enable | disable}
        set external-blocklist-enable-all {enable | disable}
        set external-blocklist <source>
    next
end
To configure malware threat feeds and outbreak prevention without performing an AV scan in the CLI:
config antivirus profile
    edit "Demo"
        set mobile-malware-db enable
        config http
            set av-scan disable
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set content-disarm disable
        end
        config ftp
            set av-scan disable
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
        end
        config imap
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
            set content-disarm disable
        end
        config pop3
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
            set content-disarm disable
        end
        config smtp
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
            set content-disarm disable
        end
        config mapi
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
            set executables default
        end
        config nntp
            set av-scan disable
            set outbreak-prevention disable
            set external-blocklist disable
            set quarantine disable
            set emulator enable
        end
        config cifs
            set av-scan monitor
            set outbreak-prevention block
            set external-blocklist block
            set quarantine enable
            set emulator enable
        end
        config ssh
            set av-scan disable
            set outbreak-prevention disable
            set external-blocklist disable
            set quarantine disable
            set emulator enable
        end
        set outbreak-prevention-archive-scan enable
        set external-blocklist-enable-all disable
        set external-blocklist "malhash1"
        set av-virus-log enable
        set av-block-log enable
        set extended-log disable
        set scan-mode default
    next
end

In this example, configuring the quarantine setting is done in each protocol (set quarantine). The malware threat feed is also specified (set external-blocklist-enable-all disable) to the threat connector, malhash1 (set external-blocklist "malhash1").

Content disarm and reconstruction for antivirus

Content disarm and reconstruction (CDR) allows the FortiProxy to sanitize Microsoft Office documents and PDF files (including those that are in ZIP archives) by removing active content, such as hyperlinks, embedded media, JavaScript, macros, and so on from the files (disarm) without affecting the integrity of its textual content (reconstruction). It allows network administrators to protect their users from malicious document files.

Files processed by CDR can be stored locally for quarantine on FortiAnalyzer, FortiSandbox, or FortiProxy models with a hard disk. The original copies can also be obtained in the event of a false positive.

CDR is supported on HTTP, SMTP, POP3, and IMAP. NOTE: SMTP splice and client-comfort mode are not supported.

Support and limitations

  • CDR can only be performed on Microsoft Office documents and PDF files.
  • Local Disk CDR quarantine is only possible on FortiProxy models that contain a hard disk.
  • CDR is only supported on HTTP, SMTP, POP3, IMAP.
    • SMTP splice and client-comfort mode is not supported.
  • CDR can only work on files in .ZIP type archives.

Configuring the feature

To configure antivirus to work with CDR, you must enable CDR on your antivirus profile, set the quarantine location, and then fine tune the CDR detection parameters.

To configure CDR:
  1. Go to Security Profiles > AntiVirus.

  2. Edit an antivirus profile or create a new one.

  3. Under Content Disarm, enable the options that you want.

  4. Select a quarantine location from the available options:

    • FortiSandbox—Saves the original document file to a connected FortiSandbox.

    • File Quarantine—Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiProxy log settings (config log fortianalyzer setting).

    • Discard—The default setting, which discards the original document file.

  5. Select the action that is taken when an error occurs:
    • Block—Block file when there is a CDR error.
    • Log Only—Log the CDR error but allow the file to pass.
    • Ignore—When there is a CDR error, let the file pass but do not log the error.
  6. Click OK.
To edit the CDR detection parameters:

By default, stripping of all active Microsoft Office and PDF content types are enabled. In this example, stripping macros in Microsoft Office documents is disabled.

config antivirus profile

edit <antivirus_profile_name>

config content-disarm

set office-macro disable

set detect-only {enable | disable}

set cover-page {enable | disable}

set error-action {block | log-only | ignore}

end

next

end

Where:

detect-only

Only detect disarmable files, do not alter content. Disabled by default.

cover-page

Attach a cover page to the fileʼs content when the file has been processed by CDR. Enabled by default.