| Solution |
Refer to the snapshot for the FortiGate AntiVirus profile below:
Content disarm and reconstruction (CDR):
- The CDR removes exploitable content. As files are processed through an enabled antivirus profile, content that is found to be malicious or unsafe is replaced with content that allows the traffic to continue but does not put the recipient at risk.
- Content that can be scanned includes PDF and Microsoft Office files entering the network on CDR-supported protocols (such as HTTP, SMTP, IMAP, and POP3 — MAPI is not supported). CDR does not scan HTTP POST messages. This is done to avoid possible confusion on both the sender and recipient sides. The specific content to be scanned can be configured in the CLI - by default all options are enabled:
config antivirus profile
edit "av-profile-name"
set feature-set proxy
...
config content-disarm
...
set office-macro enable
set office-hylink enable
set office-linked enable
set office-embed enable
set office-dde enable
set office-action enable
set pdf-javacode enable
set pdf-embedfile enable
set pdf-hyperlink enable
set pdf-act-gotor enable
set pdf-act-launch enable
set pdf-act-sound enable
set pdf-act-movie enable
set pdf-act-java enable
set pdf-act-form enable
set cover-page enable
set detect-only enable/disable
end
- When the client tries to download the file, FortiGate removes or scans all exploitable content in real time. CDR can be configured to detect ('set detect-only enable') or to remove ('set detect-only disable') specific content. This feature does not check if the content is actually malicious. If CDR is configured to remove hyperlinks from Office documents, it will remove all of them. It will not check if the links are actually leading to malicious websites or not.
- The original file is sent to Fortisandbox, saved to disk (only on FortiGates with disk), or discarded depending on the 'Original File Destination' setting in the AntiVirus profile (in CLI: 'set original-file-destination quarantine/fortisandbox/discard').
- CDR can be also configured to add a cover page to the scanned files. The user gets notified of the scan and can get the original file retrieved from the FortiGate administrator, in case CDR removed some of the content.
- The CDR log in AV section actually specifies the type of threat in the disarmed file:
date=2023-07-27 time=16:46:18 eventtime=1690501578167356620 tz="-0700" logid="0205009240" type="utm" subtype="virus" eventtype="content-disarm" level="warning" vd="vdom1" policyid=1 ... policytype="policy" epoch=349957988 eventid=1 msg="File was disarmed by Content Disarm engine." action="content-disarmed" service="SMTP" sessionid=521 srcip=10.1... dstip=172.16... srcport=54710 dstport=25 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" ... proto=6 direction="outgoing" filename="javascript.pdf" checksum="2eaca223" profile="av" from="...@mail.com" to="...@mail.com" sender="...@mail.com" recipient="...@mail.com" subject="Test" attachment="yes" analyticscksum="8553ef26929221725036cvbnghjkvbn36be8e796660062c9e904b63gf89y" contentdisarmed="disarmed" cdrcontent="pdf-javascript,pdf-embedded-file,pdf-hyperlink" crscore=10 craction=2 crlevel="medium"
Virus outbreak prevention:
- An additional layer of protection that keeps the network safe from newly emerging malware. Quick virus outbreaks can infect a network before signatures can be developed to stop them.
- Outbreak protection stops these virus outbreaks until signatures become available in FortiGuard.FortiGate must have a zero-hour virus Outbreak (ZHVO) license.
- FortiGate adds hash-based virus detection for new threats that are not yet detected by the antivirus signatures.
- When the file is sent to the scanunit daemon, buffers are hashed and a request is sent to the urlfilter daemon. After checking against its request cache for known signatures, the urlfilter daemon sends an antivirus request to FortiGuard with the remaining signatures.
- FortiGuard returns a rating that is used to determine if the scanunit deamon should report the file as harmful or not. Jobs remain suspended in the scanunit daemon until the client receives a response, or the request times out.
Malware block list:
- FortiGate can enhance the antivirus database by linking a dynamic external malware block list to FortiGate. The list is hosted on a web server and is available through an HTTP/HTTPS URL defined within the Security Fabric malware hash list.
- The list can be in the forms of MD5, SHA1, and SHA256 hashes, and are written on separate lines on a plaintext file.
- The malware block list can be defined as a Security Fabric connector and configured to pull the list dynamically by setting the refresh rate.
|
