External Block List (Threat Feed) - File Hashes
The Malware Hash type of Threat Feed connector supports a list of file hashes that can be used as part of Virus Outbreak Prevention.
To configure Malware Hash:
- Navigate to Security Fabric > Fabric Connectors and click Create New.
- In the Threat Feeds section, click Malware Hash.
The Malware Hash source objects are displayed.
- To configure Malware Hash, fill in the Connector Settings section.
- Beside the Last Update field, click View Entries to display the external Malware Hash list contents.
New Malware value for external-resource parameter in CLI
FGT_PROXY (external-resource) # edit sha1_list new entry 'sha1_list' added FGT_PROXY (sha1_list) # set type ? category FortiGuard category. address Firewall IP address. domain Domain Name. malware Malware hash.
To configure external Malware Hash list sources in CLI:
config global config system external-resource edit "md5_list" set type malware set comments "List of md5 hashes only" set resource "http://172.16.200.44/outbreak/md5_list" set refresh-rate 30 next edit "sha1_list" set type malware set comments "List of sha1 hashes only" set resource "http://172.16.200.44/outbreak/sha1_list" set refresh-rate 30 next edit "sha256_list" set type malware set comments "List of sha256 hashes only" set resource "http://172.16.200.44/outbreak/sha256_list" set refresh-rate 30 next end end
Update to antivirus profile
In Security Profiles > AntiVirus, the Virus Outbreak Prevention section allows you to enable the following options:
- Use Fortinet outbreak Prevention Database.
- Use External Malware Block List.
To view Virus Outbreak Prevention options in CLI:
FGT_PROXY (vdom1) # config antivirus profile FGT_PROXY (profile) # edit av FGT_PROXY (av) # config outbreak-prevention FGT_PROXY (outbreak-prevention) # set ftgd-service Enable/disable FortiGuard Virus outbreak prevention service. external-blocklist Enable/disable external malware blocklist. FGT_PROXY (outbreak-prevention) # set
To configure Virus Outbreak Prevention options in CLI:
You must first enable outbreak-prevention
in the protocol and then enable external-blocklist
under outbreak-prevention
.
config antivirus profile edit "av" set analytics-db enable config http set options scan set outbreak-prevention full-archive end config ftp set options scan set outbreak-prevention files end config imap set options scan set outbreak-prevention full-archive end config pop3 set options scan set outbreak-prevention full-archive end config smtp set options scan set outbreak-prevention files end config mapi set options scan set outbreak-prevention full-archive end config nntp set options scan set outbreak-prevention full-archive end config smb set options scan set outbreak-prevention full-archive end config outbreak-prevention set ftgd-service enable set external-blocklist enable end next end
Update to utm-virus category logs
This feature adds the fields filehash
and filehashsrc
to outbreak prevention detection events.
Example of the utm-virus log generated when a file is detected by FortiGuard queried outbreak prevention:
2: date=2018-07-30 time=13:57:59 logid="0204008202" type="utm" subtype="virus" eventtype="outbreak-prevention" level="warning" vd="root" evnttime=1532984279 msg="Blocked by Virus Outbreak Prevention service." action="blocked" service="HTTP" sessionid=174777 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37044 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="zhvo_test.com" checksum="583369a5" quarskip="No-skip" virus="503e99fe40ee120c45bc9a30835e7256fff3e46a" dtype="File Hash" filehash="503e99fe40ee120c45bc9a30835e7256fff3e46a" filehashsrc="fortiguard" url="http://172.16.67.148/zhvo_test.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false" crscore=30 crlevel="high“
Example of the utm-virus log generated when a file is detected by External Malware Hash List outbreak prevention:
1: date=2018-07-30 time=13:59:41 logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" eventtime=1532984381 msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=174963 srcip=192.168.101.20 dstip=172.16.67.148 srcport=37045 dstport=80 srcintf="lan" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=1 proto=6 direction="incoming" filename="mhash_block.com" checksum="90f0cb57" quarskip="No-skip" virus="mhash_block.com" dtype="File Hash" filehash="93bdd30bd381b018b9d1b89e8e6d8753" filehashsrc="test_list" url="http://172.16.67.148/mhash_block.com" profile="mhash_test" agent="Firefox/43.0" analyticssubmit="false"