|
Understanding the CLI Commands:
archive-max-recursive-level
- The 'archive-max-recursive-level' command sets the maximum level of recursion for scanning within compressed (archive) files attached to emails. It determines how deeply FortiMail scans compressed archives within email attachments.
- Higher values of 'archive-max-recursive-level' allow for deeper scanning within compressed archives.
decompress-max-level
- The 'decompress-max-level' command sets the maximum level of decompression allowed for archive files during antivirus and content scans. It controls how deeply FortiMail decompresses archive files to scan their contents.
- The default value of 'decompress-max-level' is 12, meaning FortiMail will decompress up to 12 levels deep into archive files.
The correlation between 'archive-max-recursive-level' and 'decompress-max-level' is crucial for efficient and effective email scanning. Here is how they work together and their use cases:
- Detecting Deeply Compressed Archives:
- When FortiMail scans emails with attached archive files (e.g., .zip or .rar), it may encounter deeply compressed archives that require multiple levels of decompression to access the innermost files.
- 'decompress-max-level' controls how deeply FortiMail can decompress these archives for scanning.
- 'archive-max-recursive-level' complements this by determining how deeply FortiMail scans within those decompressed archives.
- If 'archive-max-recursive-level' is set lower than 'decompress-max-level', it may not detect files within deeply compressed archives, potentially missing threats.
- Use Case Example:
- In the provided example, 'archive-max-recursive-level' was set to 13 or higher, indicating that FortiMail should scan within archives with a depth of 13 or more levels.
- However, the default value of 'decompress-max-level' was 12, meaning FortiMail would only decompress up to 12 levels deep.
- To resolve this issue, it is necessary to adjust 'decompress-max-level' to match or exceed the value of 'archive-max-recursive-level'. In this case, 'decompress-max-level' was increased to 13 to ensure proper scanning of deeply compressed archives.
- Configuration Steps:
config profile content
edit <profile_name>
set archive-scan-options {block-on-failure-to-decompress | block-password-protected | block-recursive
end
block-recursive: Enable to block archive attachments whose depth of nested archives exceeds the value defined under archive-max-recursive-level.
archive-max-recursive-level <depth_int>: Enter the nesting depth threshold. Depending upon each attached archive’s depth of archives nested within the archive, the FortiMail unit will use one of the following methods to determine whether it should block or pass the email.
The archive-max-recursive-level is 0, or the attachment’s depth of nesting equals or is less than the archive-max-recursive-level: If the attachment contains a file that matches one of the other MIME file types, perform the action configured for that file type, either block or pass.
The attachment’s depth of nesting is greater than archive-max-recursive-level: Apply the block action, unless this option is disabled block-recursive, in which case it will pass the MIME file type content filter. Block actions are specified in the profile content-action.
config mailsetting mail-scan-options
set content-scan-level {high | low | medium}
set decompress-max-level <level_int>
set decompress-max-ratio <ratio_int>
set decompress-max-size <size_int>
set scan-microsoft-msg {enable | disable}
set scan-timeout-action {tempfail | passthrough}
set scan-timeout-value <seconds_int>
end
decompress-max-level <level_int>: Specify how many levels to decompress the archived files for antivirus and content scan. The valid range is 1 to 36. The default is 12.
|
