Antivirus. Module Objectives By the end of this module participants will be able to: Identify the...
-
Upload
brianna-melton -
Category
Documents
-
view
217 -
download
3
Transcript of Antivirus. Module Objectives By the end of this module participants will be able to: Identify the...
Module Objectives
• By the end of this module participants will be able to:• Identify the virus scanning techniques used on the
FortiGate unit
• Identify the differences between file-based and flow-based virus scanning
• Configure quarantine options
• Define firewall policies using antivirus profiles
• Update FortiGuard Services
Antivirus
Antivirus
• Detect and eliminate viruses, worms, trojans and spyware in real-time• Stop threats before they enter the network
• Scans HTTP and FTP traffic as well as incoming and outgoing SMTP, POP3 and IMAP email• Internet Content Adaption Protocol (ICAP)
support• FortiGate acts as ICAP client to
communicate with ICAP servers that the FortiGate unit can utilize for offloading AV scanning services• First enable in Settings, then configure
under UTM Profiles > ICAP
File-Based scanning
• Antivirus proxy buffers the file as it arrives•Once transmission complete, virus scanner examines the file•Higher detection and accuracy rate
Flow-Based Scanning
• File is scanned on a packet-by-packet basis as it passes through the FortiGate unit• Faster scanning, but lower accuracy rate• Difficulty in catching virus variants
•Only available on certain models
FortiGuard Services
Product FortiGuard Subscription Services
Available
FortiGate
Antivirus Antispam Web filtering Intrusion Prevention System Application control Voice
FortiAnalyzer Vulnerability Management Service
FortiMail Antispam Antivirus
FortiDB Database Security Service
FortiClient Antivirus Antispam Web filtering
FortiWeb FortiWeb Security ServiceFortiScan Vulnerability Management Service
Click here to read more about FortiGuard Subscription Services
Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
Click here to read more about updating FortiGuard Subscription Services
Grayware
AdwareBrowser helper objectsDialersDownloadersGamesHacker toolsHijackersJokesKeyloggersNMTP2PPluginsRemote access toolsSpywareToolbars
Enable Grayware Detection
Grayware
AdwareBrowser helper objectsDialersDownloadersGamesHacker toolsHijackersJokesKeyloggersNMTP2PPluginsRemote access toolsSpywareToolbars
•When enabled the FortiGate unit will scan for grayware anytime it checks for viruses• All grayware categories are filtered when detection is enabled
Enable Grayware Detection
Heuristics Scanning
Virus-like attribute
+ Virus-like attribute
+ Virus-like attribute
> Heuristic threshold
Suspicious
Heuristics Scanning
Virus-like attribute
+ Virus-like attribute
+ Virus-like attribute
> Heuristic threshold
Suspicious
• FortiGate unit tests for virus-like behavior• Virus-like attributes are totaled and if greater than a threshold, the file is marked as suspicious• Use CLI command to block suspicious
files
•Only examines Windows executable files• Possibility of false positives
Quarantine
??FortiAnalyzer
Local hard drive
• Infected, blocked or suspicious files can be quarantined to the hard drive on the FortiGate unit or to the FortiAnalyzer device• Files quarantined based on their protocol• Information regarding quarantined files is displayed in the logs
Antivirus ProfilesAntivirus profile: Class_Scan
Firewall policy
• Enable antivirus operations on a protocol-by-protocol basis in antivirus profile• Profile in turn applied to firewall policy• Any traffic being examined by the
policy will have the antivirus operations applied to it
• Scanning of secure traffic available on certain models
Labs
• Lab - Antivirus Scanning• Enabling FortiGuard Subscriptions Services and updates
• Configuring Global Antivirus Settings
• Testing Virus Scanning for HTTP
• Inspecting HTTPS traffic
Click here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module