Description

This article describes how to block email by file signatures.

Scope

FortiGate.

Solution

If the SHA-1/SHA-256(Secure Hash Algorithm) hash values of some known virus-infected files are obtained, add these values as file signatures and then, in the antivirus profile, enable the actions against these files.
Manually add the SHA-1/256 checksums one by one and import such a checksum list in csv or txt format is possible.
The signatures can be exported as a .csv file.

Because not all attachment files are virus carriers, the FortiMail file signature check only supports the following file types:
.7z, .bat, .cab, .dll, .doc, .docm, .dotm, exe, .gz, .hta, .inf, .jar, .js, .jse, .msi, .msp, pdf, .pif, .potm, .ppam, .ppsm, .ppt, .pptm, .pptx, .reg, .scr, .sldm, .swf, .tar, .vbe, .ws, .wsc, .wsf, .wsh, .xlam, .xls, .xlsm, .xlsx, .xltm, .Z, and .zip files.

Above and more can be confirmed in the link: Configuring antivirus profiles, file signatures, and antivirus action profiles 

1. Add a new file signature.

• Go to Security -> Other -> File Signature and select 'New'.
• Enter a name for the signature group.
• Select either SHA-1 or SHA-256.
• Under 'File Signature List', select 'New' and then enter the checksum value.
• Select 'OK' and then 'Create'.
  
  

• Go to Profile -> AntiVirus -> AntiVirus and create a new antivirus profile or edit existing profile.
• Enable the File signature check.
• Select 'OK' to save it.
  

 

3. Ensure that this AntiVirus Profile has been connected to an IP Policy.

 

Result.

 

 

 

The attachment file has a hash value matched by the file signature created, so it is put under quarantine by FortiMail.