Configuring antivirus profiles and antivirus action profiles
The AntiVirus submenu lets you configure antivirus profiles and related action profiles. See the following topics for details:
- Managing antivirus profiles
- Configuring antivirus action profiles
Managing antivirus profiles
Go to Profile > AntiVirus to create antivirus profiles that you can select in a policy in order to scan email for viruses.
The FortiMail unit scans email header, body, and attachments (including compressed files, such as ZIP, PKZIP, LHA, ARJ, and RAR files) for virus infections. If the FortiMail unit detects a virus, it will take actions as you define in the antivirus action profiles. For details, see “Configuring antivirus action profiles” on page 522.
FortiMail keeps its antivirus scan engine and virus signature database up-to-date by connecting to Fortinet FortiGuard Distribution Network (FDN) antivirus services. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
To configure an antivirus profile
- Go to Profile > AntiVirus > AntiVirus.
- Either click New to add a profile or double-click a profile to modify it.
A dialog appears.
- Click the arrows to expand each section as needed and configure the following:
Figure 213:Antivirus Profile dialog
GUI item | Description |
Domain | For a new profile, select either System to apply the profile to the entire FortiMail unit, or select a specific protected domain. You can see only the domains that are permitted by your administrator profile. |
Profile name | For a new profile, type its name. |
Default action | Select an action profile or create a new action profile. See “Configuring antivirus action profiles” on page 522. |
Virus scanning | Enable to perform antivirus scanning. |
Grayware scanning | Enable to scan for grayware as well, such as mail bomb detection. |
Upload suspicious attachment to FortiSandbox | Enable to send suspicious attachments to FortiSandbox. For details about FortiSandbox configuration, see “Adding a FortiSandbox unit” on page 275.
Suspicious attachments include: • Suspicious file detected by heuristic scan of the AV engine • Executable files and executable files embedded in archive files. • Type 6 hashes (binary hashes) of the spam email detected by FortiGuard AntiSpam Service |
Realtime sandbox malware analysis | Enable to use realtime malware analysis, or heuristic antivirus scan, when performing antivirus scanning. |
Action | Select an action profile that the FortiMail unit will take if the realtime malware analysis determines that they have virus-like qualities, and suspects that they may be infected. |
- Click Create or OK.
Configuring antivirus action profiles
The Action tab in the AntiVirus submenu lets you define one or more things that the FortiMail unit should do if the antivirus profile determines that an email is infected by viruses.
To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.
To view and configure antivirus action profiles
- Go to Profile > AntiVirus > Action.
Figure 214:Viewing the list of antivirus action profiles
GUI item | Description |
Domain
(drop-down list) |
Select System to see profiles for the entire FortiMail unit, or select a protected domain name to see profiles for that domain. You can see only the domains that are permitted by your administrator profile. |
Profile Name | Displays the name of the profile. |
Domain
(column) |
Displays either System or a domain name. |
(Green dot in column heading) | Indicates whether or not the entry is currently referred to by another item in the configuration. If another item is using this entry, a red dot appears in this column, and the entry cannot be deleted. |
- Either click New to add a profile or double-click an existing profile to modify it.
A dialog appears.
Figure 215:Configuring an antivirus action profile
- Configure the following:
GUI item | Description |
Domain | Select if the action profile will be system-wide or domain-wide.
You can see only the domains that are permitted by your administrator profile. |
Profile name | For a new profile, enter a name. |
Tag email’s subject line Enable and enter the text that appears in the subject line of the email, such as [virus], in the With value field. The FortiMail unit will prepend this text to the subject line of spam before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the subject line. For details, see the documentation for your email client.
GUI item | Description |
Insert new header | Enable and enter the message header key in the field, and the values in the With value field. The FortiMail unit adds this text to the message header of the email before forwarding it to the recipient.
Many email clients can sort incoming email messages into separate mailboxes, including a spam mailbox, based on text appearing in various parts of email messages, including the message header. For details, see the documentation for your email client. Message header lines are composed of two parts: a key and a value, which are separated by a colon. For example, you might enter: X-Custom-Header: Detected as virus by profile 22. If you enter a header line that does not include a colon, the FortiMail unit will automatically append a colon, causing the entire text that you enter to be the key. Note: Do not enter spaces in the key portion of the header line, as these are forbidden by RFC 2822. |
Deliver to alternate host | Enable to route the email to a specific SMTP server or relay, then type the fully qualified domain name (FQDN) or IP address of the destination.
Note: If you enable this setting, the FortiMail unit uses this destination for all email that matches the profile and ignores Relay server name and Use this domain’s SMTP server to deliver the mail. |
BCC | Enable to send a blind carbon copy (BCC) of the email.
Configure BCC recipient email addresses by entering each one and clicking Create in the BCC area. |
Notify with profile | Enable and select a notification profile to send a notification email to the sender, recipient, or any other people as you configure in the notification profile. The notification email is customizable and will tell the users what happened to the email message. For details about notification profiles and email templates, see “Configuring notification profiles” on page 600 and “Customizing email templates” on page 288. |
Reject | Enable to reject the email and reply to the SMTP client with SMTP reply code 550. |
Discard | Enable to accept the email, but then delete it instead of delivering the email, without notifying the SMTP client. |
System Quarantine | Enable to redirect email to the system quarantine. For more information, see “Managing the system quarantine” on page 188. |
GUI item Description
Replace Replaces the infected file with a replacement message that infected/suspicious notifies the email user the infected file was removed. You can body or attachment(s) customize replacement messages. For more information, see “Customizing GUI, replacement messages and email templates” on page 276.
Rewrite recipient email address | Enable to change the recipient address of any infected email message.
Configure rewrites separately for the local-part (the portion of the email address before the ‘@’ symbol, typically a user name) and the domain part (the portion of the email address after the ‘@’ symbol). For each part, select either: • None: No change. • Prefix: Prepend the part with text that you have entered in the With field. • Suffix: Append the part with the text you have entered in the With field. • Replace: Substitute the part with the text you have entered in the With field. |
Repackage email with customized content | Enable to forward the infected email as an attachment with the customized email body that you define in the custom email template. For example, in the template, you may want to say “The
attached email is infected by a virus”. For details, see “Customizing email templates” on page 288. |
Repackage email with original content | Enable to forward the infected email as an attachment but the original email body will still be used without modification. |
Hi, on these instructions it states “personal black lists and white lists” on page 620.”
Where can i get the book to view page 620??
https://docs.fortinet.com/d/fortimail-5.4.0-administration-guide
That is a PDF version of the FortiMail documentation. 620 is referenced there.
Hello,
What about the confidence degree of Header Analysis (also called Deepheader Analysis)? The default value is 95.0, and statisticaly on dozen of emails, all the values are always within range 95,03- 95,09. What is really checked in headers ? In our organization (government – 5000 users) we have lots of SPAM catched but also lots of false positive catched by this feature…
Unfortunately the defaults are just “broad strokes”. A lot of tweaking is necessary to get things to where you are in your organization’s happy range of false positives vs missed spam.
Hello,
Do we have some addtional info regarding heuristic filter ? It is quite tricky to proceed with fine tuning with this light description. In my case, default settings just catch anything (around 10 emails out of 150’000… Now I have decreased threshold value to 3.0 and increased percentage of rules to 50% and now it catches around 200 emails out of 750’000 … still no false-positive.
Hello,
Is there a way to clear only one entry in the LDAP cache ? Since we have over 10’000 users and that there are multiple routers and FW between the SMTP Gateway and the LDAP servers we do not want to clear the whole cache.