FortiOS 6 – AntiVirus

FortiGuard AntiVirus updates

To ensure that your system receives the most protection available, all virus definitions and signatures are updated regularly through the FortiGuard AntiVirus services. To configure this feature, go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates. From here you can schedule updates to occur on a consistent weekly, daily, or even hourly basis.

Updating antivirus definitions can cause a short disruption of traffic being scanned while the FortiGate unit applies the new signature database. Schedule updates for time periods when traffic is light to minimize disruption.

FortiSandbox

Not every piece of malware has a signature. This is especially true of new malware and variations on existing malware. FortiOS can upload suspicious files to FortiSandbox for sandbox inspection. When a FortiGate uses sandbox inspection, files are sent to the FortiSandbox. Then the FortiSandbox uses virtual machines (VMs) running different operating systems to test the file, to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to both the local FortiGate malware database and the FortiGuard AntiVirus signature database.

A file is deemed suspicious when it does not contain a known threat but has characteristics that suggest it may be malware. The characteristics that determine if a file is suspicious are updated by Fortinet to reflect the current threat climate.

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiCloud).

To configure an AntiVirus profile to send files to FortiSandbox, first verify that your FortiSandbox appliance is configured or that your FortiCloud account is active. Then go to Security Profiles > AntiVirus and enter the desired Inspection Options.

Sending files to the FortiSandbox appliance or to FortiSandbox Cloud does not block files immediately. Instead, the files assist in the discovery of new threats and the creation of new signatures to be added to the global FortiGuard AntiVirus database. Files deemed malicious are also immediately added to a custom Malware Package which is downloaded by the FortiGate every two minutes for live detection.

The Advanced Threat Protection Statistics dashboard widget displays the number of files that your FortiGate unit has uploaded or submitted to FortiSandbox. To see FortiSandbox statistics for the last 7 days, go to Fortinet Security Fabric> Settings.

Option for “Suspicious Files Only” for FortiSandbox submissions

Beginning in FortiOS 6.0.1, FortiGates can use the FortiSandbox Cloud service as part of the AntiVirus subscription. In order to reduce client upload bandwidth usage and general load on the FortiSandbox service, a new “Suspicious Files Only” upload option has been added to the AntiVirus profile, which previously only had “None” and “All Supported Files”.

In order to enforce best practices, “None” is now the default.

Syntax

config antivirus profile edit <profile name> set ftgd-analytics [disable|suspicious|everything]

end

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.