Description
This article describes that the external malware block list is a new feature introduced in FortiOS 6.2.0, which falls under the umbrella of outbreak prevention.
This feature provides another means of supporting the Antivirus Database by allowing users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes.
This feature provides a mechanism for antivirus to retrieve an external malware hash list from a remote server and polls the hash list every minute for updates.
Support and limitations.
Malware detection using the external malware block list can be used in both proxy-based and flow-based policy inspections.
Just like FortiGuard outbreak prevention, an external dynamic block list is not supported in AV quick scan mode.
Using different types of hashes simultaneously may slow down the performance of malware scanning.
For this reason, users are recommended to only use one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.
This article describes this feature.
Scope
FortiGate.
Solution
Network topology example:
- Configuring the feature.
To configure the antivirus to work with an external block list:
Create the malware hash list:
The malware hash list follows a strict format in order for its contents to be valid. Malware hash signature entries must be separated into each line. A valid signature needs to follow the format below:
MD5 Entry with hash description
aa67243f746e5d76f68ec809355ec234 md5_sample1# SHA1 Entry with hash description
a57983cb39e25ab80d7d3dc05695dd0ee0e49766 sha1_sample2
SHA256 Entry with hash description
ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379 sha256_sample1
Entry without hash description
0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521
Invalid entries
7688499dc71b932feb126347289c0b8a_md5_sample2
7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3
If it is desired to use a local list, here is a simple method to locate the hash file for the files:
Open a cmd window and run the following commands to identify the hash:
Open a cmd window and run the following commands to identify the hash:
certutil -hashfile "filename.exe" SHA1
certutil -hashfile "filename.exe" SHA256
certutil -hashfile "filename.exe" md5
certutil -hashfile "filename.exe" SHA256
certutil -hashfile "filename.exe" md5
Output will be like this:
Configure the external malware block list source:
- Go to Global -> Security Fabric -> Fabric Connectors and select 'Create New'.
- Select 'Malware Hash'.
-
Add the details of the Malware hash file external resource:
-
Select View Entries to make sure there are no Invalid Entries, and if so, they must be corrected.
-
Enable the 'Use External Malware Block List' in the configured AntiVirus security profile to enable the list detection.
-
A message 'Malware Hash Threat Feed is not found or enabled' could appear when enabling this toggle.
-
Make sure the threat feed is in enabled mode and select the refresh button, a small green arrow should appear.
-
If the message still appears, check the type:
config system external-resource
edit "hash_list"
set status enable
set type category
set resource "http://1.1.1.1/test.txt"
set refresh-rate 5
set source-ip 0.0.0.0
set interface-select-method auto
next
end
The type should be 'malware', if it is in another one then it will be necessary to create the list using CLI as the type cannot be changed from GUI nor it can be changed after the threat feed is already created.
-
If adding a hash list and it is not updated in the hash list view entries in Fortigate, verify for any invalid entries in the hash list view, delete the invalid hash list from the hash file, then add the new one and verify it appears in the view list.
