Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
heyadc123
New Contributor

AV Logs Passthrough

Greetings, I' m reviewing my AV logs and noticed some logs with a message File infected with a status of Passthrough. Does it mean that the file was allowed through the UTM even if the file is infected ?? Thanks
8 REPLIES 8
abelio
SuperUser
SuperUser

hi, AV log print a lot of useful info also, post the whole message to try to give to you an accurate answer. i.e: AV features includes for example the possibility of mark as ' virus' some file due its extension, i.e. an .mp3 file; if you allow mp3 files and enable that feature AV, you can obtain a passthrough message.

regards




/ Abel

regards / Abel
heyadc123
New Contributor

Here' s two of AV logs with passthrough status 2008-10-09 21:29:13 log_id=0211060000 type=virus subtype=infected pri=notice vd=root policyid=4 serial=460689 user=" N/A" group=" N/A" src=10.8.20.2 sport=3386 src_int=" internal1" dst=66.102.1.103 dport=80 dst_int=" wan1" service=" http" status=passthrough file=" Google Updater.exe" virus=" Suspicious" url=" http://pack.google.com/dl/2.4.1368.5602/mui/GoogleUpdater.exe" ref=" http://www.fortinet.com/ve?vn=Suspicious" msg=" File is infected." 2 4 2008-10-07 20:27:20 log_id=0211060000 type=virus subtype=infected pri=notice vd=root policyid=4 serial=289773 user=" N/A" group=" N/A" src=10.8.20.2 sport=49184 src_int=" internal1" dst=15.200.2.21 dport=80 dst_int=" wan1" service=" http" status=passthrough file=" HpHPSUAxKB.exe" virus=" Suspicious" url=" http://ftp.hp.com/pub/softlib/software10/COL23367/mp-60652-2/HpHPSUAxKB.exe" ref=" http://www.fortinet.com/ve?vn=Suspicious" msg=" File is infected." Thanks for your help DC
laf
New Contributor II

As abelio already posted:
Hello, ' Suspicious' indicates just that. The AV engine of your FTG has a basic ' heuristic' feature; it' s basic in fortigates (not in fortimails) because it reacts to any windows executable files printing that label. If you follow the link http://www.fortinet.com/ve?vn=Suspicious you could get some info about that. In brief, you cannot ensure that' s an infected file or not; you would analyze ' A9installer_77075603.exe' file thereafter with some another tool. Heuristics is enabled by default in AV config, with the action ' pass' . You can modify its settings with CLI: " config antivirus heuristic" set mode {pass|block|disable} are the options.
So you ll to check it using a AV solution on that station and see the results ;).

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
heyadc123
New Contributor

Thanks
Not applicable

Usually, only use FortiGate for AV is not enough. It' s better for you to use FortiGate AV as the level 1, then use the desktop AV software as the level 2 to protect you from viruses
iFortify
New Contributor

What to do if your FortiGate unit does not detect a virus in an infected file http://kc.forticare.com/default.asp?id=3843&SID=&Lang=1 It is ' best practice' to use a multilayered approach to protect your network. The Fortigate operates in a ' best effort' mode based on current AV signatures. It is not meant to replace desktop AV solutions but rather to offload the desktop layer Antivirus solution. If the Fortigate does not detect a virus then your desktop layer might catch it. This is important as the Fortigate might ' miss' the virus if it is passed through ' encrypted' traffic (TLS, SSL, HTTPS, etc.)
Not applicable

the infected file is found by heuristics engine, you can set the heuristics engine to block the suspicios content file. By default is passed.
mauirixxx
New Contributor

the Fortigate AV does a pretty good job of keeping viruses out. We still use a dedicated AV solution on each desktop / server, mainly to protect us from business clients and their possibly infected laptops.
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/ FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch 8 FortiAnalyzer-100B v4.0 build 513 MR3
Rick Payton, IT Support Morikawa & Associates http://www.mai-hawaii.com/ FortiGate-60 build 726 (retired) FortiGate-60B v4.0 build 328 MR2 Patch 8 FortiAnalyzer-100B v4.0 build 513 MR3
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors