FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes the FortiGuard protection services in antivirus profile.

Refer the snapshot for the FortiGate AV profile below:




Content disarm and reconstruction (CDR):


- The CDR removes exploitable content and replaces it with content that's known to be safe.

As files are processed through an enabled antivirus profile, content that is found to be malicious or unsafe is replaced with content that allows the traffic to continue, but does not put the recipient at risk.


- Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR- supported protocols (such as HTTP, SMTP, IMAP, and POP3—MAPI isn't supported).

When the client tries to download the file, FortiGate removes all exploitable content in real-time, then the original file is sent to FortiSandbox for inspection.

The client can download the original file by logging in to the FortiSandbox.


Virus outbreak prevention:


- An additional layer of protection that keeps the network safe from newly emerging malware.

Quick virus outbreaks can infect a network before signatures can be developed to stop them.


- Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.

FortiGate must have a zero-hour virus Outbreak (ZHVO) license.


- FortiGate adds hash-based virus detection for new threats that are not yet detected by the antivirus signatures.


- When the file is sent to the scanunit deamon, buffers are hashed and a request is sent to the urlfilter deamon.

After checking against its request cache for known signatures, the urlfilter deamon sends an antivirus request to FortiGuard with the remaining signatures.


- FortiGuard returns a rating that is used to determine if the scanunit deamon should report the file as harmful or not.

Jobs remain suspended in the scanunit deamon until the client receives a response, or the request times out.


Malware block list:


- FortiGate can enhance the antivirus database by linking a dynamic external malware block list to FortiGate.

The list is hosted on a web server and is available through HTTP/HTTPS URL defined within the Security Fabric malware hash list.


- The list can be in the forms of MD5, SHA1, and SHA256 hashes, and are written on separate lines on a plaintext file.


- The malware block list can be defined as a Security Fabric connector and configured to pull the list dynamically by setting the refresh rate.