Troubleshooting Tip: Same hash value for multiple Word documents
| Description | This article describes a behavior where FortiGate blocks multiple Word documents because all the documents have the same hash value. |
| Scope | FortiGate is configured with a malware external hash feed to block files through the antivirus profile |
| Solution | User configures an external hash feed to block the files through the antivirus profile as it is explained in the following guideline:
In the logs, users start seeing that multiple Word documents are being blocked because of the same hash file value.
date=2023-02-03 time=15:42:41 eventtime=1675467761491047388 tz="-0800" logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=293915 srcip=172.20.120.13 dstip=192.168.10.13 srcport=53515 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 direction="incoming" filename="test.word" quarskip="Quarantine-disabled" virus="a1a74a39788854b75d454dc9c83c612b" viruscat="File Hash" dtype="external-blocklist" filehash="e19238d7a71fa7a2490776252686f70e2de6238c87cd509b5e3a3cc07c2ea4df" filehashsrc="AWS_Malware_Hash" url="http://192.168.10.13/test.jpg" profile="default" agent="curl/7.55.1" httpmethod="GET" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
date=2023-02-03 time=15:42:41 eventtime=1675467761491047388 tz="-0800" logid="0207008212" type="utm" subtype="virus" eventtype="malware-list" level="warning" vd="root" policyid=1 poluuid="e8b310ba-914f-51ed-9014-7b2a116f29ad" policytype="policy" msg="Blocked by local malware list." action="blocked" service="HTTP" sessionid=293915 srcip=172.20.120.13 dstip=192.168.10.13 srcport=53515 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="wan" srcuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" dstuuid="3342cb44-9140-51ed-5dbe-8e0787bedeec" proto=6 direction="incoming" filename="test100.word" quarskip="Quarantine-disabled" virus="a1a74a39788854b75d454dc9c83c612b" viruscat="File Hash" dtype="external-blocklist" filehash="e19238d7a71fa7a2490776252686f70e2de6238c87cd509b5e3a3cc07c2ea4df" filehashsrc="AWS_Malware_Hash" url="http://192.168.10.13/test.jpg" profile="default" agent="curl/7.55.1" httpmethod="GET" analyticssubmit="false" crscore=10 craction=2 crlevel="medium"
Explanation: A Word document is a compressed file composed of multiple XML files. To validate the files included in a Word file, use a tool like 7-Zip to open the Word document.
There is an XML file which is called .rels inside the _rels folder. Use a hash calculator to determine the hash value of this file. The result is e19238d7a71fa7a2490776252686f70e2de6238c87cd509b5e3a3cc07c2ea4df.
If the user includes this hash value inside the malware external hash feed, FortiGate will start blocking all the Word documents that include the .reels XML file. |
