The malware hash threat feed contains a dynamic list of malware hashes (MD5, SHA1, or SHA256) that is updated periodically coming from an external server.

When attempting to delete a malware hash threat feed, an error message stating 'Entry is used. Cannot delete a used external resource' may appear regardless of whether the usage shows no results or no references.

Deleting the malware hash threat feed via the CLI will also return an error 'Cannot delete a used external resource'.

To resolve this, verify that the external-blocklist-enable-all option is not enabled on any AntiVirus profile. Run the command below to verify:

show full antivirus profile | grep external-blocklist-enable-all -if

This option can also be checked from the GUI under Security Profiles -> AntiVirus.

If the external-blocklist-enable-all option is enabled on any AntiVirus profile, disable the option either from the GUI or via the CLI.

Note that there are AntiVirus profiles that are not visible from the GUI, hence, the only option is to disable via CLI by applying below commands:

config antivirus profile
    edit <antivirus-profile-name>
        set external-blocklist-enable-all disable
    next
end

After disabling this option for all AntiVirus profiles, deleting the malware hash threat feed should now be possible.

From FortiGate v7.4.0 and later, it is already possible to delete a malware hash threat feed that is not explicitly specified in the 'Use external malware block list' option, regardless of whether the external-blocklist-enable-all option is enabled on one of the AntiVirus profiles. However, there will be a warning shown on the GUI if external-blocklist-enable-all is enabled but no malware hash threat feed is configured.

Related document:

Malware hash threat feed