Skip to main content
opetr_FTNT
Staff
opetr_FTNT
Staff
September 28, 2015

Technical Tip: How to bypass antivirus and content filter check for specific senders

  • September 28, 2015
  • 0 replies
  • 9372 views

Description

 

This article describes the AntiSpam or/and Content filter check bypass for a sender by the new Recipient policy that does not have the AntiSpam or/and Content filter applied.

It should be noted that the safelist does not cancel antivirus and content filter checking. This is expected behavior. The safelist cancels only antispam checks against the received email, antivirus and content filtering will still take place.


Scope

 

FortiMail 7.6.x, 7.4.x, 7.2.x.


Solution

 

It is possible to skip antivirus/content filtering for specific users/domains by creating specific recipient policies (Policy -> Policies -> Recipient Policies) with those users/domains in the sender pattern.

GUI configuration:
Go to Policy -> Policies -> Recipient Policies and select 'New'.
NEW1.png

Configure the sender, then set 'antivirus' and 'content' to 'None', indicating that no profiles are assigned.
user2.png

Switch to the Domain. Select the policy and use Move and Up (or other) to move the new, specific, policy on top of the rulebase.
move3.png

The result should be similar to the following screenshot:
look4.png

Configuration CLI:
 
config domain
    edit <domain_name>
        config policy recipient

            edit 0
                set status enable
                set sender-name no-AV
                set sender-domain out.lab
                set profile-antispam AS_Inbound
                set profile-resource Res_Default
    next
end

 

(recipient) # get
== [ 1 ] 2024-10-25 12:45:10
status: enable direction: incoming sender-type: user sender-name: * sender-domain: * recipient-type: user recipient-name: * recipient-domain: in.lab profile-antispam: AS_Inbound profile-content: CF_Inbound profile-dlp: test profile-antivirus: AV_Discard profile-resource: Res_Default profile-auth-type: none pkiauth: disable pkiuser: comment:
== [ 2 ] 2024-10-23 13:23:23
status: enable direction: incoming sender-type: user sender-name: no-AV sender-domain: out.lab recipient-type: user recipient-name: * recipient-domain: in.lab profile-antispam: AS_Inbound profile-content: profile-dlp: profile-antivirus: profile-resource: Res_Default profile-auth-type: none pkiauth: disable pkiuser: comment:Technical Tip: How to bypass antivirus and content filter check for specific senders

move 2 before 1 #<-- 2 and 1 needs to be changed according to the get output

(recipient) # get
== [ 2 ] 2024-10-23 13:23:23
status: enable direction: incoming sender-type: user sender-name: no-AV sender-domain: out.lab recipient-type: user recipient-name: * recipient-domain: in.lab profile-antispam: AS_Inbound profile-content: profile-dlp: profile-antivirus: profile-resource: Res_Default profile-auth-type: none pkiauth: disable pkiuser: comment:
== [ 1 ] 2024-10-25 12:45:10
status: enable direction: incoming sender-type: user sender-name: * sender-domain: * recipient-type: user recipient-name: * recipient-domain: in.lab profile-antispam: AS_Inbound profile-content: CF_Inbound profile-dlp: test profile-antivirus: AV_Discard profile-resource: Res_Default profile-auth-type: none pkiauth: disable pkiuser: comment:


Verification of Configuration and Troubleshooting:
Send an email, which was previously blocked by the antivirus/content profile, from the user that has been specified and checks if the email is delivered.

It should also be possible to verify that the correct policy id is matched:
check5.png

The 'Policy IDs' are in the format Access Control: IP Policy: Recipient Policy.
In the screenshot, the recipient policy id is 2, which is the specific policy created in the example.
 
Related article:
Terms & ConditionsAccessibility statement