Troubleshooting Tip: SMB files transfer successfully even Antivirus showing block action

yderek · ‎04-22-2025

Description

This article describes that transferring Eicar test files using SMB, the file transfer is successful, even with FortiGate showing the action is blocked.

Scope

FortiGate.

Solution

When using Eicar file testing Antivirus function in FortiGate SMB transfer, the Cigar file arrives at the destination with the same file size, however, FortiGate shows action blocked. This is expected behaviour due to the design of the SMB protocol.
FortiGate logs showing blocked :

eicar file logs.jpg

The file shows that it has been successfully transferred to the mapped drive. Compare the file size, showing the same size before and after file transfer.
When doing an MD5 checksum for the original file and the destination file, MD5 shows a difference, see below
MD5 check at the client site.

MD5 on client eicar.jpg

MD5 checksum at the server site:

eicar MD5 server.jpg

This is because FortiGate Proxy policy and Proxy UTM scanning are working as the file did not get downloaded at the server properly, due to the SMB protocol design, FortiGate cannot hold the file until it finishes scanning before forwarding it to the server site.
Open the Eicar file at the destination, compare it at the Client site, the Eicar file shows empty, see screenshot below:

ciage file compare.jpg

Troubleshooting Tip: SMB files transfer successfully even Antivirus showing block action

You are leaving our website