Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
nevan
Staff
Staff

Created on ‎10-01-2024 02:28 AM Edited on ‎10-01-2024 02:29 AM By Community Manager

Article Id 341936

Technical Tip: Testing Antivirus with an EICAR file and checking the logs in FortiSASE

Description This article describes how to test the antivirus setup with an EICAR test virus file and to view the logs from analytics of FortiSASE.
Scope FortiSASE, FortiClient
Solution FortiSASE SIA offers protection with Antivirus in real-time and is designed to protect users. The antivirus engine works by decrypting traffic,  scanning data, and re-encrypting the traffic that passes through the FortiSASE infrastructure. Antivirus can be configured in FortiSASE instance from security profile by following way.

av-1.jpg

 
While setting up the profile with Antivirus it is required to set the SSL inspection to 'Deep inspection mode' for encrypting and decrypting the content.

The EICAR file to test the AV can be found here

Once downloaded, the test malware file a warning will be shown in the browser or FortiClient will notify about the risk.

av3.jpg
The logs can be viewed for the Antivirus profile in the Analytics -> Security -> Antivirus.

av1.jpg

 

av2.jpg

 

It will be found that the file with filename="eicarcom2.zip" is being blocked with the device type 'av-engine' which indicates that the AntiVirus is blocking the traffic successfully and the logs are also getting generated for the security profile.

Sample Logs:

date=2024-09-11 time=15:24:31 id=741340686493167105 itime="2024-09-11 15:24:34" euid=1036 epid=1039 dsteuid=3 dstepid=101 logver=702086407 type="utm" subtype="virus" level="warning" action="blocked" sessionid=28837 policyid=17 srcip=10.215.128.1 dstip=89.238.79.97 srcport=53940 dstport=443 proto=6 vrf=10 logid=0211008192 service="HTTPS" user="user@fortinet.com" unauthuser="fortinet" virus="EICAR_TEST_FILE" fctuid="D4A71A2FB3AC47FD8174C6C3EB164A69" eventtime=1726068271064660359 virusid=2172 crscore=50 craction=2 crlevel="critical" srcintfrole="undefined" dstintfrole="undefined" direction="incoming" analyticssubmit="false" quarskip="Quarantine-disabled" filename="eicarcom2.zip" ref="https://fortiguard.fortinet.com/encyclopedia/virus/2172" url="https://secure.eicar.org/eicarcom2.zip" profile="outbound-Test" unauthusersource="forticlient" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" dtype="av-engine" eventtype="infected" srcintf="ssl.root" dstintf="port4" msg="File is infected." tz="+0000" srcuuid="5d7c7efe-1e58-51ef-ff30-553a299b4c17" dstuuid="5d7bd012-1e58-51ef-681a-d5435b3a119c" viruscat="Virus" policytype="policy" srccountry="Reserved" dstcountry="Germany" poluuid="d02f7324-6f62-51ef-f178-4eb00ae5ad94" httpmethod="GET" referralurl="https://www.eicar.org/" devid="FGVMPGTM24006805" vd="root" dtime="2024-09-11 15:24:31" itime_t=1726068274 devname="Frankfurt_Germany"
646
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.