Description
This article describes that when the AV process scans unknown malware which has no definition in the AV DB, it may take a long time to complete the scan and possibly result in the scanunitd process crashing or in high CPU usage.
Scope
ForitGate.
Solution
This issue can be avoided by setting Win32 emulation disabled, as shown in the following configuration on v5.2.x. It is a Win32 emulation scan that will generally consume high hardware resources.
config antivirus profile
edit "default"
set comment "Scan files and block viruses."
config smtp
set options scan
set emulator disable
edit "default"
set comment "Scan files and block viruses."
config smtp
set options scan
set emulator disable
FortiGate AV can inspect files by emulating Win32 environment. It is not configurable on v5.0.x. Flow-based AV and AV scan on FOS 5.4.x is not affected.
Win32 emulation inspects unknown files and marks them with a suspicious flag if the files are regarded as not safe.
The 'Advanced Threat Protection Statistics' widget in the FortiGate WebUI shows 'number of 'Suspicious Files' which are marked as suspicious by Win32 emulation.
The number of 'Suspicious Files' would help to estimate suspicious file detection before/after disabling emulation.
Win32 emulation inspects unknown files and marks them with a suspicious flag if the files are regarded as not safe.
The 'Advanced Threat Protection Statistics' widget in the FortiGate WebUI shows 'number of 'Suspicious Files' which are marked as suspicious by Win32 emulation.
The number of 'Suspicious Files' would help to estimate suspicious file detection before/after disabling emulation.
Other example:
Limit antivirus scanning for trusted traffic (in this example, Microsoft traffic:(
config antivirus profile
edit "default"
config feature-set
set av-engine default
config exempt
set entries "windowsupdate.microsoft.com" "update.microsoft.com" "dl.delivery.mp.microsoft.com"
end
end
next
end
