Security Profiles – AntiVirus – FortiOS 6.2

AntiVirus

Content disarm and reconstruction for AntiVirus

Introduction

Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files without affecting the integrity of it’s textual content (reconstruction).

This feature allows network admins to protect their users from malicious office document files.

Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them. These original copies can also be obtained in the event of a false positive.

Support and limitations

  • CDR can only be performed on Microsoft Office Document and PDF files. l Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
  • CDR is only supported on HTTP, SMTP, POP3, IMAP. l SMTP splice and client-comfort mode is not supported.
  • CDR does not work on flow based inspection modes. l CDR can only work on files in .ZIP type archives.

Network topology example

Configuring the feature

In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus profile, set the quarantine location, and then fine tune the CDR detection parameters.

To enable CDR on your AntiVirus profile:

  1. Go to Security Profiles > AntiVirus.
  2. Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.

To set a quarantine location:

  1. Go to Security Profiles > AntiVirus.
  2. Select a quarantine location from the available options, including Discard, File Quarantine, and FortiSandbox.
Discard The default setting which discards the original document file.
File Quarantine Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate’s log settings, visible through Config Global > Config Log FortiAnalyzerSetting.
FortiSandbox Saves the original document file to a connected FortiSandbox.

To fine tune CDR detection parameters in the FortiGate CLI:

  • Select which active content to detect/process:
  • By default, all active office and PDF content types are enabled. To fine tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’

FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set ? original-file-destination       Destination to send original file if active content is removed.

office-macro Enable/disable stripping of macros in Microsoft Office documents.

office-hylink               Enable/disable stripping of hyperlinks in Microsoft

Office documents.

office-linked              Enable/disable stripping of linked objects in Microsoft

Office documents.

office-embed                Enable/disable stripping of embedded objects in

Microsoft Office documents.

office-dde   Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents.

office-action

Microsoft Office documents.

Enable/disable stripping of PowerPoint action events in
pdf-javacode documents. Enable/disable stripping of JavaScript code in PDF
pdf-embedfile documents. Enable/disable stripping of embedded files in PDF
pdf-hyperlink documents. Enable/disable stripping of hyperlinks from PDF
pdf-act-gotor access other PDF documents. Enable/disable stripping of PDF document actions that
pdf-act-launch launch other applications. Enable/disable stripping of PDF document actions that
pdf-act-sound play a sound. Enable/disable stripping of PDF document actions that
pdf-act-movie play a movie. Enable/disable stripping of PDF document actions that
pdf-act-java execute JavaScript code. Enable/disable stripping of PDF document actions that
pdf-act-form Enable/disable stripping of PDF document actions that
submit data to other targets.

cover-page   Enable/disable inserting a cover page into the disarmed document.

detect-only  Enable/disable only detect disarmable files, do not alter content.

FGT_PROXY (content-disarm) # set office-macro disable FGT_PROXY (content-disarm) #

  • Detect but do not modify active content:
  • By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’ FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set detect-only ?

disable      Disable this Content Disarm and Reconstruction feature. enable Enable this Content Disarm and Reconstruction feature.

FGT_PROXY (content-disarm) # set detect-only enable FGT_PROXY (content-disarm) #

  • Enabling/disabling the CDR cover page:
  • By default, a cover page will be attached to the file’s content when the file has been processed by CDR. To disable the cover page, the paramater cover-page needs to be disabled.

FGT_PROXY (vdom1) # config antivirus profile

FGT_PROXY (profile) # edit av change table entry ‘av’

FGT_PROXY (av) # config content-disarm

FGT_PROXY (content-disarm) # set cover-page disable  Disable this Content Disarm and Reconstruction feature. enable    Enable this Content Disarm and Reconstruction feature.

FGT_PROXY (content-disarm) # set cover-page disable

FGT_PROXY (content-disarm) #

FortiGuard Outbreak Prevention for AntiVirus

Introduction

FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate’s AntiVirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard.

Those hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other thirdparty websites and services.

This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.

The concept of FortiGuard Outbreak Prevention is to detect zero-day malware in a collaborative approach.

Support and limitations

  • FortiGuard Outbreak Prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
  • FortiGuard Outbreak Prevention does not support AV in quick scan mode. l FortiGate must be registered with a valid FortiGuard Outbreak Prevention license before this feature can be used.

Network topology example

Configuring the feature

In order for AntiVirus to work with an external block list, you must register the FortiGate with a FortiGuard Outbreak Prevention license and enable FortiGuard Outbreak Prevention in the AntiVirus profile.

To obtain/renew a FortiGuard AntiVirus license:

  1. See the following link for instructions on how to purchase or renew a FortiGuard Outbreak Prevention license:

https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0

  1. Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.

To enable FortiGuard Outbreak Prevention in the AntiVirus profile:

  1. Go to Security Profiles > AntiVirus.
  2. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
  3. Select Apply.

Diagnostics and debugging

l Check if FortiGate has Outbreak Prevention license:

  FGT_PROXY (global) # diagnose debug rating

Locale       : english

Service      : Web-filter

Status       : Enable

License      : Contract

Service      : Antispam

Status       : Disable

Service      : Virus Outbreak Prevention

Status       : Enable

License      : Contract

-=- Server List (Tue Feb 19 16:36:15 2019) -=-

   
          IP                     Weight    RTT Flags TZ

Updated Time

Packets Curr Lost Total Lost
          192.168.100.185          -218      2 DI     -8

19 16:35:55 2019

113                    0          0 Tue Feb
l Scanunit daemon showing Outbreak Prevention verdict:    
FGT_PROXY (vdom1) # diagnose debug application scanunit -1 Debug messages will be on for 30 minutes.

FGT_PROXY (vdom1) # diagnose debug enable

FGT_PROXY (vdom1) # su 4739 job 1 open

su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0 su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0 su 4739 job 1 request info: su 4739 job 1 client 10.1.100.11:39412 server 172.16.200.44:80 su 4739 job 1 object_name ‘zhvo_test.com’ su 4739 file-typing NOT WANTED options 0x0 file_filter no su 4739 enable databases 0b (core mmdb extended) su 4739 job 1 begin http scan su 4739 scan file ‘zhvo_test.com’ bytes 68

su 4739 job 1 outbreak-prevention scan, level 0, filename ‘zhvo_test.com’ su 4739 scan result 0 su 4739 job 1 end http scan su 4739 job 1 inc pending tasks (1)

su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0) su 4739 job 1 suspend su 4739 outbreak-prevention recv error su 4739 ftgd avquery id 0 status 1

su 4739 job 1 outbreak-prevention infected entryid=0 su 4739 report AVQUERY infection priority 1

su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0 su 4739 job 1 dec pending tasks 0 su 4739 job 1 send result su 4739 job 1 close su 4739 outbreak-prevention recv error

External malware blocklist for Antivirus

Introduction

External Malware Blocklist is a new feature introduced in FortiOS 6.2.0 which falls under the umbrella Outbreak Prevention.

This feature provides another means of supporting the AV Database by allowing users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes.

This feature provides a mechanism for Antivirus to retrieve an external malware hash list from a remote server and polls the hash list every n minutes for updates.

Support and limitations

Malware detection using External Malware Blocklist can be used in both proxy-based and flow-based policy inspections.

Just like FortiGuard Outbreak Prevention, External Dynamic Block List is not supported in AV quick scan mode.

Using different types of hash simultaneously may slow down the performance of malware scanning. For this reason, users are recommended to only using one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.

Network topology example

Configuring the feature

To configure AntiVirus to work with External Block List:

  1. Creating the Malware Hash List

The malware hash list follows a strict format in order for its contents to be valid. Malware hash signatures entries must be separated into each line. A valid signature needs to follow the format below:

# MD5 Entry with hash description aa67243f746e5d76f68ec809355ec234 md5_sample1

# SHA1 Entry with hash description a57983cb39e25ab80d7d3dc05695dd0ee0e49766 sha1_sample2

# SHA256 Entry with hash description ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379 sha256_sample1

# Entry without hash description

0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521

# Invalid entries

7688499dc71b932feb126347289c0b8a_md5_sample2

7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3

  1. Configure External Malware Blocklist source:

 

Create new external source on Global > Security Fabric > Fabric Connectors page:

  • Select Malware Hash:

Fill out the fields as shown below. URI should point to the malware hashlist on the remote server:

  • Malware Hash source object is now created:

User can view entries inside the malware blocklist by clicking the View Entries button:

  • Malware Has Threatfeed hash_list is shown.
  1. Enable External Malware Blocklist in Antivirus profile

Enable External Malware Blocklist on the AntiVirus profile and apply the change:

Antivirus is now ready to use external malware blocklist.

Diagnostics and debugging

Check if scanunit daemon has updated itself with the external hashes:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose sys scanunit malware-list list

md5 ‘aa67243f746e5d76f68ec809355ec234’ profile ‘hash_list’ description ‘md5_sample1’ sha1 ‘a57983cb39e25ab80d7d3dc05695dd0ee0e49766’ profile ‘hash_list’ description ‘sha1_sample2’ sha256 ‘0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521’ profile ‘hash_list’ description ”

sha256 ‘ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379’ profile ‘hash_list’ description ‘sha256_sample1’

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.