Inspection mode differences for Antivirus

Inspection mode differences for Antivirus

This section identifies the behavioral differences between Antivirus operating in flow and proxy inspection.

Feature comparison between Antivirus inspection modes

The following table indicates which Antivirus features are supported by their designated scan modes.

Part1 Replacement Message Content Disarm Mobile Malware Virus

Outbreak

Sandbox Inspection NAC Quar-

antine

Proxy Yes Yes Yes Yes Yes Yes
Flow Full Mode Yes* No Yes Yes Yes Yes
Flow Quick Mode Yes* No No No Yes Yes

*IPS Engine caches the URL and a replacement message will be presented after the second attempt.

Part 2 Archive Blocking Emulator Client Com- Infection forting Quarantine Heuristics Treat

EXE as

Virus

Proxy Yes Yes Yes                Yes (1) Yes Yes (2)
Flow Full Mode Yes Yes No                 Yes (1) Yes Yes (2)
Flow Quick Mode No No No                 No No No
  1. Only available on FortiGate models with HDD or when FortiAnalyzer or FortiCloud is connected and enabled.
  2. Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.

Protocol comparison between Antivirus inspection modes

The following table indicates which protocols can be inspected by the designated Antivirus scan modes.

  HTTP FTP IMAP POP3 SMTP NNTP MAPI CIFS
Proxy Yes Yes Yes Yes Yes Yes Yes Yes*
Flow Full Mode Yes Yes Yes Yes Yes No No Yes
Flow Quick Mode Yes Yes Yes Yes Yes No No Yes

* Proxy mode Antivirus inspection on CIFS protocol has the following limitations:

  • Cannot detect infections within archive files l Cannot detect oversized files
  • Will block special archive types by default l IPv6 is not supported yet (at the time of FOS v6.2.0 GA)

Other Antivirus differences between inspection modes

Flow Quick mode uses a separate pre-filtering database for malware detection as opposed to the full AV signature database that Flow Full and Proxy mode inspection use.

Proxy mode uses pre-scanning and stream-based scanning for HTTP traffic. This allows archive files that exceed the oversize limit to be uncompressed and scanned for infections.

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.