Description
This article describes how to block email by file signatures.
Scope
FortiMail.
Solution
If the SHA-1/SHA-256(Secure Hash Algorithm) hash values of some known virus-infected files are obtained, add these values as file signatures and then, in the antivirus profile, enable the actions against these files.
Manually add the SHA-1/256 checksums one by one and import such a checksum list in csv or txt format is possible.
The signatures can be exported as a .csv file.
Because not all attachment files are virus carriers, the FortiMail file signature check only supports the following file types:
.7z, .bat, .cab, .dll, .doc, .docm, .dotm, exe, .gz, .hta, .inf, .jar, .js, .jse, .msi, .msp, pdf, .pif, .potm, .ppam, .ppsm, .ppt, .pptm, .pptx, .reg, .scr, .sldm, .swf, .tar, .vbe, .ws, .wsc, .wsf, .wsh, .xlam, .xls, .xlsm, .xlsx, .xltm, .Z, and .zip files.
Above and more can be confirmed in the link: Configuring antivirus profiles, file signatures, and antivirus action profiles
- Add a new file signature.
- Go to Security -> Other -> File Signature and select 'New'.
- Enter a name for the signature group.
- Select either SHA-1 or SHA-256.
- Under 'File Signature List', select 'New' and then enter the checksum value.
- Select 'OK' and then 'Create'.
- Enabling 'File Signature check' in AntiVirus profile.
- Go to Profile -> AntiVirus -> AntiVirus and create a new antivirus profile or edit existing profile.
- Enable the File signature check.
- Select 'OK' to save it.
- Ensure that this AntiVirus Profile has been connected to an IP Policy.
Result.
The attachment file has a hash value matched by the file signature created, so it is put under quarantine by FortiMail.
