When the AV process scans unknown malware which has no definition in the AV DB it may take a long time to complete the scan and possibly result in the scanunitd process crashing or in high CPU usage.Solution
This issue can be avoided by setting Win32 emulation disable as shown in the following configuration on FOS v5.2.x. It is Win32 emulation scan that will generally consume high hardware resources.
config antivirus profile
set comment "Scan files and block viruses."
set options scan
set emulator disable
FortiGate AV can inspect files with emulating Win32 environment. It is not configurable on FOS v5.0.x. Flow based AV and AV scan on FOS 5.4.x is not affected.
Win32 emulation inspects unknown files and marks them with a suspicious flag if the files would be regarded as not safe.
The "Advance Threat Protection Statistics" widget in the FortiGate WebUI shows "numbers of "Suspicious Files" which are marked as suspicious by Win32 emulation.
Numbers of "Suspicious Files" would help to estimate suspicious file detection before/after disabling emulation.