Oversize virus

" Oversize" File blocking is a functionality of DLP UTM not Antivirus. Please have a look at your report again if the blocking is done by " DLP" Filters or " Antivirus' Filters. If the blocking is by DLP Filter,,it indeed is a case of Oversized File and not Virus. Also some large files cannot be scanned by Antivirus Filters.

Actually that is incorrect. It can be a function of AV. In proxy mode, the file size limit is 10MB uncompressed, or 12MB compressed (zip, rar, etc). The reason is that it takes significant CPU to process this file in proxy mode. You have various settings where you can change the defaults, but be aware that doing so may impact performance especially on smaller boxes, and most viruses are smaller in size so that there is a higher success rate of download without being noticed or interrupted. Increasing the size therefore may not result in much returned, just higher utilization of the system. You will see these options which are per protocol.. config antivirus service xxxx where xxxx is a specific protocol like the http example below. There' s about a dozen of these. config antivirus service " http" set uncompsizelimit 10 set uncompnestlimit 12 set scan-bzip2 disable end All that said, in FortiOS 5.2 there are significant enhancements to flow AntiVirus, and it is now as effective (or nearly so) as proxy mode. Flow mode takes far less resources and there is no size limit to files, and it doesn' t have to proxy the connection so less moving parts = less chance for things to go wrong. It' s a win/win, so I would recommend you check it out. If you keep proxy mode, you will get that kind of message each time the file size is too large to scan - namely because it was a logging requirement for many customers that we log whenever we cannot scan a file. You can safely ignore these or config your syslog / FAZ to ignore these messages. Cheers!

Hi Ede, As of FortiOS 5.2, flow mode can indeed scan archives and can buffer data. In another post I cited references and it has been confirmed internally. The two limits are uncompressed and uncompressed when nested, to correct what I put above.. not enough sleep on that one. The file size is relevant more to proxy mode, but the default of 10 MB uncompressed and 12 MB nested uncompressed means the compressed file would be smaller still than either value. As you correctly pointed out on the other post, almost all known malicious files are 3MB or less in size, so the existing limit is meant to go above that to ensure the greatest chance of detection in proxy mode. Cheers!