Antivirus

Module Objectives

• By the end of this module participants will be able to:• Identify the virus scanning techniques used on the

FortiGate unit

• Identify the differences between file-based and flow-based virus scanning

• Configure quarantine options

• Define firewall policies using antivirus profiles

• Update FortiGuard Services

Antivirus

Antivirus

Antivirus

Antivirus

• Detect and eliminate viruses, worms, trojans and spyware in real-time• Stop threats before they enter the network

• Scans HTTP and FTP traffic as well as incoming and outgoing SMTP, POP3 and IMAP email• Internet Content Adaption Protocol (ICAP)

support• FortiGate acts as ICAP client to

communicate with ICAP servers that the FortiGate unit can utilize for offloading AV scanning services• First enable in Settings, then configure

under UTM Profiles > ICAP

Antivirus Scanning Order

Filesize

.jpg

FileName

pattern

Virusscan

Filetype

Grayware Heuristics

File-Based scanning

• Antivirus proxy buffers the file as it arrives•Once transmission complete, virus scanner examines the file•Higher detection and accuracy rate

Flow-Based Scanning

• File is scanned on a packet-by-packet basis as it passes through the FortiGate unit• Faster scanning, but lower accuracy rate• Difficulty in catching virus variants

•Only available on certain models

Virus Scanning

Regular

Extended

Extreme

Flow-based

FortiGuard Services

Product FortiGuard Subscription Services

Available

FortiGate

Antivirus Antispam Web filtering Intrusion Prevention System Application control Voice

FortiAnalyzer Vulnerability Management Service

FortiMail Antispam Antivirus

FortiDB Database Security Service

FortiClient Antivirus Antispam Web filtering

FortiWeb FortiWeb Security ServiceFortiScan Vulnerability Management Service

Click here to read more about FortiGuard Subscription Services

Connecting to FortiGuard Servers

service.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

Click here to read more about updating FortiGuard Subscription Services

Grayware

AdwareBrowser helper objectsDialersDownloadersGamesHacker toolsHijackersJokesKeyloggersNMTP2PPluginsRemote access toolsSpywareToolbars

Enable Grayware Detection

Grayware

AdwareBrowser helper objectsDialersDownloadersGamesHacker toolsHijackersJokesKeyloggersNMTP2PPluginsRemote access toolsSpywareToolbars

•When enabled the FortiGate unit will scan for grayware anytime it checks for viruses• All grayware categories are filtered when detection is enabled

Enable Grayware Detection

Heuristics Scanning

Virus-like attribute

+ Virus-like attribute

+ Virus-like attribute

> Heuristic threshold

Suspicious

Heuristics Scanning

Virus-like attribute

+ Virus-like attribute

+ Virus-like attribute

> Heuristic threshold

Suspicious

• FortiGate unit tests for virus-like behavior• Virus-like attributes are totaled and if greater than a threshold, the file is marked as suspicious• Use CLI command to block suspicious

files

•Only examines Windows executable files• Possibility of false positives

Quarantine

??FortiAnalyzer

Local hard drive

Quarantine

??FortiAnalyzer

Local hard drive

• Infected, blocked or suspicious files can be quarantined to the hard drive on the FortiGate unit or to the FortiAnalyzer device• Files quarantined based on their protocol• Information regarding quarantined files is displayed in the logs

Antivirus ProfilesAntivirus profile: Class_Scan

Firewall policy

Antivirus ProfilesAntivirus profile: Class_Scan

Firewall policy

• Enable antivirus operations on a protocol-by-protocol basis in antivirus profile• Profile in turn applied to firewall policy• Any traffic being examined by the

policy will have the antivirus operations applied to it

• Scanning of secure traffic available on certain models

Labs

• Lab - Antivirus Scanning• Enabling FortiGuard Subscriptions Services and updates

• Configuring Global Antivirus Settings

• Testing Virus Scanning for HTTP

• Inspecting HTTPS traffic

Click here for step-by-step instructions on completing this lab

Student Resources

Click here to view the list of resources used in this module