Skip to main content
A
Anonymous_User
Contributor
February 19, 2008

Technical Tip: Oversize function for the AntiVirus Scan threshold considerations

  • February 19, 2008
  • 0 replies
  • 2861 views

 

Description This article describes the Oversize-limit function for the AntiVirus Scan threshold considerations.
Scope

FortiGate.
Solution

To limit the in-memory file size that a FortiGate can scan, the oversize threshold can be defined. If a file size is larger than this size threshold, the FortiGate unit will either pass or block the file.

 

How the Oversized Function Works:

 

Stage                                                 Action
File Size Check Antivirus engine compares file size against the configured Oversize Threshold.
Threshold Exceeded File is bypassed from deep scanning (heuristics, signature, sandboxing).
Fallback Actions Optional: Log, quarantine, allow with a warning, or apply alternative policy.

 

To set the threshold in the profile-protocol-options:

 

config firewall profile-protocol-options
    edit [profile]
        config [service]
            set oversize-limit ?
           [value] maximum scannable filesize (min: 1MB, max: 270MB)

 

This is an example of a FortiGate model with a total of 2700 MB of RAM.

 

HTTP compression (widely known as Content Encoding) is a method to compress original data. Based on the original data type, the compression ratio can be as much as 1/4 of its original size.

Considering that some files that are actually greater than the oversize threshold (yet far smaller when compressed and passed using Content-Encoding method, such as gzip, deflate, or compress), the FortiGate calculates a threshold of 1/3 of the actual threshold defined to prevent such encoded files from getting through.

 

Terms & ConditionsAccessibility statement