set up SSL deep inspection and now am able to find the viruses in https links too, but, while testing this with TekDefense.com (http://www.tekdefense.com/downloads/malware-samples/)
some files are recognized nut some not. For instance:
This one is recognized and blocked
http://www.tekdefense.com/downloads/malware-samples/malz4.zip
but these are downloaded and not blocked
http://www.tekdefense.com/downloads/malware-samples/malz5.zip
http://www.tekdefense.com/downloads/malware-samples/yitaly.exe.zip
I'm using the firewall in proxy mode (provides Internet to users via web proxy) and the mail policy rule to provide internet is proxy based.
Would you please give me hints what is the root cause? size of file? types of viruses? type of files or?
Regards,
Mohammad
Solved! Go to Solution.
Hi,
Please take a look at the “archive-block” “encrypted” option for each specific protocol under the av profile.
Regards,
Alexis
Hi Mohammad,
If you suspect that files are not detected as viruses when they should be. Please report them using the link https://www.fortiguard.com/faq/onlinescanner
Regards,
Hi,
Thanks, I downloaded the file mal5.zip from link above and tested with 3 AV solutions which detected most of them as viruses whereas the fortigate allowed downloaded the password protected file to be downloaded.
Anyway, I need these:
Do not allow password protected files (ZIP, RAR, TAR, ...) to be downloaded at all.
Make sure all files with all sizes are scanned and if there is any setting on Fortigate unit, where is it?
BTW, If I change a zip password protected file or an exe file extension to something like JPG, Is fortigate still able to detect the real format and do its AV scan job?
Regards,
Hi again,
Not any policy or way to do this at least?
Do not allow password protected files (ZIP, RAR, TAR, ...) to be downloaded at all.
Hi,
Please take a look at the “archive-block” “encrypted” option for each specific protocol under the av profile.
Regards,
Alexis
How may I know which types are assumed as archives? I wonder if tar is in the list or not?
Secondly, does the FortiOS detects files using their extensions or the real content? What happens if I change the ext of a zip file to jpg and try to pass and fool the device?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.