FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197291



This article describes that the external malware block list is a new feature introduced in FortiOS 6.2.0, which falls under the umbrella of outbreak prevention.
This feature provides another means of supporting the Antivirus Database by allowing users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes.
This feature provides a mechanism for antivirus to retrieve an external malware hash list from a remote server and polls the hash list every minute for updates.

Support and limitations.

Malware detection using the external malware block list can be used in both proxy-based and flow-based policy inspections.
Just like FortiGuard outbreak prevention, an external dynamic block list is not supported in AV quick scan mode.

Using different types of hashes simultaneously may slow down the performance of malware scanning.
For this reason, users are recommended to only use one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.

This article describes this feature.



Network topology example:

  1. Configuring the feature.

    To configure the antivirus to work with an external block list:

    Create the malware hash list:

    The malware hash list follows a strict format in order for its contents to be valid. Malware hash signature entries must be separated into each line. A valid signature needs to follow the format below:

    MD5 Entry with hash description
    aa67243f746e5d76f68ec809355ec234  md5_sample1# SHA1 Entry with hash description
    a57983cb39e25ab80d7d3dc05695dd0ee0e49766  sha1_sample2

    SHA256 Entry with hash description
    ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379  sha256_sample1

    Entry without hash description

    Invalid entries
If it is desired to use a local list, here is a simple method to locate the hash file for the files:
Open a cmd windows and run the following commands to identify the hash:
certutil -hashfile "filename.exe" SHA1
certutil -hashfile "filename.exe" SHA256
certutil -hashfile "filename.exe" md5
Output will be like this:
Screenshot 2023-11-13 102103.png
Configure the external malware block list source:

  1. Go to Global -> Security Fabric -> Fabric Connectors and select 'Create New'.

  2. Select 'Malware Hash'.
  1. Add the details of the Malware hash file external resource:
  2. Select View Entries to make sure there are no Invalid Entries, and if so,  they must be corrected.
  3. Enable the 'Use External Malware Block List' in the configured AntiVirus security profile to enable the list detection.

  4. A message 'Malware Hash Threat Feed is not found or enabled' could appear when enabling this toggle.
  5. Make sure the threat feed is in enabled mode and select the refresh button, a small green arrow should appear.

  6. If the message still appears, check the type:

    config system external-resource
        edit "hash_list"
            set status enable
            set type category 
            set resource ""
            set refresh-rate 5
            set source-ip
            set interface-select-method auto

    The type should be 'malware', if it is in another one then it will be necessary to create the list using CLI as the type cannot be changed from GUI nor it can be changed after the threat feed is already created.