FortiOS 6 – AntiVirus

Enabling AntiVirus scanning

Antivirus scanning is configured in an AntiVirus profile, but it is enabled in a firewall policy. Once the use of an AntiVirus profile is enabled and selected in one or more firewall policies, all the traffic controlled by those firewall policies will be scanned according to the settings in that profile.

By going to System > Feature Visibility, you can enable or disable two aspects of the AntiVirus Profile.

  1. AntiVirus will determine if the option to use AntiVirus profiles is available.
  2. Multiple Security Profiles will determine if you can configure any AntiVirus profiles beyond the default profile.

The use of antivirus protection is a minimum standard for security protection. The question left to decide is whether or not you wish to use multiple profiles in your configuration.

From Security Profiles > AntiVirus you can edit existing profiles or create and configure new antivirus profiles that can then be applied to firewall policies. A profile is specific configuration information that defines how the traffic within a firewall policy is examined and what action may be taken based on the examination.

The configuration of the antivirus profile depends on whether the inspection mode is proxy-based or flow-based. You select the inspection mode by going to the System > Settings page. The FortiGate’s inspection mode is also displayed on the unit’s Dashboard in the System Information widget.

The discussion of the differences in antivirus scanning modes helps to understand how this scanning works in proxy- and flow-based inspection, as well as in different versions of FortiOS 5.x.

Enabling AntiVirus in Proxy-mode – GUI

  1. Go to Security Profiles > AntiVirus.
  2. Choose whether you want to edit an existing profile or create a new one.
    • The default profile will be the one displayed by default.
    • If you are going to edit an existing profile, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
    • If you need to create a new profile you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.
  3. If you are creating a new profile, write a name for it in the Name
  4. For the Detect Viruses field, select either Block to prevent infected files from passing throughout the FortiGate or Monitor to allow infected files to pass through the FortiGate but to record instances of infection.
  5. Under Inspected Protocols, enable the protocols you wish to be blocked or monitored.
  6. Under APT Protection Options, you may enable the following: Content Disarm and Reconstruction, Treat Windows Executables in Email Attachments as Viruses and Send Files to FortiSandbox Cloud for Inspection, and Use Virus Outbreak Prevention Database.

FortiSandbox options are only available if you have a FortiCloud account active on your FortiGate.

Enabling AntiVirus scanning

  1. Select Apply.
  2. Add the AntiVirus profile to a firewall security policy.

To view Mobile Malware license and version information, go to System > FortiGuard and locate the Mobile Malware section in the License Information table.

Content Disarm and Reconstruction (CDR)

Content Disarm and Reconstruction (CDR) is used to remove exploitable content and replace it with content that is known to be safe. As the files are processed through an enabled Proxy-based AntiVirus profile, content that is deemed malicious or unsafe is replaced with content that will allow the traffic to continue, but not put the recipient at risk.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (HTTP web download, SMTP email send, IMAP/POP3 email retrieval—MAPI is not supported).

This feature will work without FortiSandbox configured, but only if you wish to discard the original file. If FortiSandbox is configured and it responds that the file is clean, it will pass the content unmodified.

This feature will not work if splice or client-comfort are enabled under profile-protocol-options for SMTP.

CDR does not alter documents in an HTTP POST, and is not designed to strip content leaving the network for HTTP. It only works on HTTP GET.

Syntax

The use of CDR is enabled or disabled separately for each protocol in the profile. Note that all CDR commands are only available when you set the profile’s inspection-mode to proxy.

config antivirus profile edit <name> set inspection-mode proxy config <protocol> set options scan

set content-disarm {enable | disable}

next

end end

You must ensure that set options scan is configured.

If set options av-monitor is configured for a protocol, it will enable the detect-only option (see below) and CDR will not occur for that protocol.

The enabling and disabling of the CDR is specific to the protocol, but the granular configuration of which types of content will be rewritten by the CDR engine are configured based on the AntiVirus profile. The settings within the config content-disarm context are applicable to all of the CDR enabled protocols.

config antivirus profile edit <name> config content-disarm set original-file-destination {fortisandbox | quarantine | discard} set office-macro {enable | disable} set office-hylink {enable | disable}

set office-linked {enable | disable} set office-embed {enable | disable} set pdf-javacode {enable | disable} set pdf-embedfile {enable | disable} set pdf-act-gotor {enable | disable} set pdf-act-launch {enable | disable} set pdf-act-uri {enable | disable} set pdf-act-sound {enable | disable} set pdf-act-movie {enable | disable} set pdf-act-java {enable | disable} set pdf-act-form {enable | disable} set cover-page {enable | disable} set detect-only {enable | disable}

next end

end Where:

Option Description
original-filedestination Select the destination to which files will be sent for inspection.

Note that, once you enable content-disarm under a protocol, you will be warned that all original files will be discarded. To be able to retrieve the original files, you must set an original-file-destination for this profile.

office-macro Enables/disables stripping of macros in Microsoft Office documents.
office-hylink Enables/disables stripping of hyperlinks in Microsoft Office documents.
office-linked Enables/disables stripping of linked objects in Microsoft Office documents.
office-embed Enables/disables stripping of embedded objects in Microsoft Office documents.
pdf-javacode Enables/disables stripping of JavaScript code in PDF documents.
pdf-embedfile Enables/disables stripping of embedded files in PDF documents.
pdf-act-gotor Enables/disables stripping of links to other PDFs in PDF documents.
pdf-act-launch Enables/disables stripping of links to external applications in PDF documents.
pdf-act-uri Enables/disables stripping of links to URI resources in PDF documents.
pdf-act-sound Enables/disables stripping of embeded sound files in PDF documents.
pdf-act-movie Enables/disables stripping of embeded movies in PDF documents.
pdf-act-java Enables/disables stripping of actions that execute JavaScript code in PDF documents.

Enabling AntiVirus scanning

Option Description
pdf-act-form Enables/disables stripping of actions that submit data to other targets in PDF documents.
cover-page Enables/disables inserting a cover page into the disarmed document.
detect-only Enables/disables only detect disarmable files, do not alter content.

When the antivirus profile successfully detects suspicious content and strips the data, a new page is appended to the start of the document with a message that reads “This file has been cleaned of potential threats“.

You can set cover-page disable (see above) if you do not want a cover page appended to any disarmed content.

FortiGuard virus outbreak prevention

FortiGuard virus outbreak prevention uses checksums to filter files in order to detect and prevent quick virus outbreaks, because it usually takes at least a few hours for FortiGuard to develop and push signatures and a virus outbreak can do a lot of damage within that time period. This method proves to be quite effective using hash values of probable virus files.

Enable this feature under Security Profiles > AntiVirus > Use Virus Outbreak Prevention Database. Note that this feature requires a license, which you can obtain through System > FortiGuard > Outbreak Prevention.

Syntax

Note that outbreak-prevention is only available when options is set to scan:

config antivirus profile edit <name> config <protocol> set options scan

set outbreak-prevention {disabled | files | full-archive}

next …

where full-archive analyzes files including the contents of archives, as opposed to files which does not include the contents of archives.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.