Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

AntiVirus behaviour against different files

set up SSL deep inspection and now am able to find the viruses in https links too, but, while testing this with TekDefense.com (http://www.tekdefense.com/downloads/malware-samples/)

some files are recognized nut some not. For instance:

 

This one is recognized and blocked

http://www.tekdefense.com/downloads/malware-samples/malz4.zip

 

but these are downloaded and not blocked

http://www.tekdefense.com/downloads/malware-samples/malz5.zip

http://www.tekdefense.com/downloads/malware-samples/yitaly.exe.zip

 

I'm using the firewall in proxy mode (provides Internet to users via web proxy) and the mail policy rule to provide internet is proxy based.

 

Would you please give me hints what is the root cause? size of file? types of viruses? type of files or?

 

Regards,

Mohammad

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
1 Solution
alizardo

Hi,

 

Please take a look at the “archive-block” “encrypted” option for each specific protocol under the av profile.

 

Regards,

Alexis

View solution in original post

5 REPLIES 5
vponmuniraj
Staff
Staff

Hi Mohammad,

 

If you suspect that files are not detected as viruses when they should be. Please report them using the link https://www.fortiguard.com/faq/onlinescanner

 

 

Regards,

 

Vignesh
mhdganji

Hi,

Thanks, I downloaded the file mal5.zip from link above and tested with 3 AV solutions which detected most of them as viruses whereas the fortigate allowed downloaded the password protected file to be downloaded.

Anyway, I need these:

 

Do not allow password protected files (ZIP, RAR, TAR, ...) to be downloaded at all.

Make sure all files with all sizes are scanned and if there is any setting on Fortigate unit, where is it?

 

BTW, If I change a zip password protected file or an exe file extension to something like JPG, Is fortigate still able to detect the real format and do its AV scan job?

 

Regards,

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
mhdganji

Hi again,

Not any policy or way to do this at least?

 

Do not allow password protected files (ZIP, RAR, TAR, ...) to be downloaded at all.

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
alizardo

Hi,

 

Please take a look at the “archive-block” “encrypted” option for each specific protocol under the av profile.

 

Regards,

Alexis

mhdganji

How may I know which types are assumed as archives? I wonder if tar is in the list or not?

 

Secondly, does the FortiOS detects files using their extensions or the real content? What happens if I change the ext of a zip file to jpg and try to pass and fool the device?

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Labels
Top Kudoed Authors