File Security Enhancements for Large File Uploads (8.0.0)
FortiWeb 8.0.0 enhances file inspection capabilities to mitigate bypass risks caused by large uploads exceeding the maximum cache buffer. Previously, if an uploaded file surpassed the configured buffer limit—defined by Maximum Antivirus Buffer Size in the FortiGuard settings—FortiWeb would bypass inspection, potentially allowing malicious files such as webshells to evade detection.
When file data exceeds the cache limit, FortiWeb now analyzes up to the maximum cached length instead of skipping inspection entirely. This enables partial inspection of the file content and metadata, including:
-
Extracting and analyzing file headers
-
Evaluating initial chunks for malicious characteristics
-
Applying security decisions based on available data
Although truncated data may not be sufficient to trigger all configured File Security or DLP rules, FortiWeb no longer bypasses the file entirely. This significantly reduces the attack surface for evasion techniques that rely on file size padding.
This behavior applies automatically; no additional configuration is required.
Scope of Detection by File Type and Module
|
Inspection Type |
Multipart |
Octet |
JSON |
Email (OWA/ActiveSync) |
Email (MAPI) |
|---|---|---|---|---|---|
| File Size | ✓ | ✓ | ✓ | N/A | N/A |
| File Type | ✓ | ✓ | ✓ | N/A | N/A |
| AV | ✓ | ✓ | ✓ | ✗ | ✗ |
| FSA | ✓ | ✓ | ✓ | ✗ | ✗ |
| ICAP | ✓ | ✓ | ✓ | ✗ | ✗ |
| DLP | ✓ | ✓ | N/A | ✗ | ✗ |
| WebShell | ✓ | ✓ | N/A | ✗ | ✗ |
|
✗ Not supported when file size exceeds the configured maximum buffer size |
|||||
|
✓ Supported with truncated analysis |
|||||
For JSON uploads, FortiWeb attempts to reconstruct truncated data to ensure parsability, using newly added JSON stream parsing APIs.