Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pratik_patel
New Contributor

Antivirus Filter does not seem to be working

Hi,

 

I have attached Antivirus filter to the policy and trying to test if filter is applied correctly by downloading http://www.eicar.org/download/eicar_com.zip file but looks like the file is getting downloaded without any issue. Below is the sample configuration. I tried both, proxy and flow based configurations but no luck. I am using FG version 5.2.1. Please advice what could be the issue. I remember it was working with 5.0.x with same configuration.

 

config antivirus profile
edit "DEFAULT"
       set comment "DEFAULT"
       set inspection-mode proxy
       set scan-botnet-connections disable
       config http
            set options scan
       end
       config ftp
              set options scan
       end
       config imap
              set options scan
       end
       config pop3
              set options scan
       end
       config smtp
              set options scan
       end
       config mapi
              set options scan
       end
       next
end

 

10 REPLIES 10
Christopher_McMullan

What proxy options profile are you using on the policy? And is it matching the right policy? Maybe we could create a test rule restricted to the one host as a source.

Regards, Chris McMullan Fortinet Ottawa

pratik_patel

Hi Chris,

 

I configured AV with both proxy/flow-based inspection mode. I could see that the right policy is matching and corresponding traffic logs are also generated.

 

Thanks,

Pratik

 

 

Christopher McMullan_FTNT wrote:

What proxy options profile are you using on the policy? And is it matching the right policy? Maybe we could create a test rule restricted to the one host as a source.

ede_pfau
Esteemed Contributor III

You should see the replacement page if downloading the eicar file via HTTP (*.txt, *.com, *.zip). But, by default HTTPS AV scanning is not enabled. So if you download from the lower row (using HTTPS) then only your OS based antivirus software will alert you (you do have local AV software, don't you?).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
pratik_patel

Hi Ede,

 

I am downloading file using wget and here is the output below. It uses http protocol and not http to download the file. I confirmed it by monitoring traffic on wireshark as well.

 

wget --bind-address=10.51.4.1 wget [link]http://www.eicar.org/download/eicar_com.zip[/link] --2015-01-16 07:37:28-- [link]http://www.eicar.org/download/eicar_com.zip[/link] Resolving www.eicar.org... 188.40.238.250 Connecting to www.eicar.org|188.40.238.250|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 184 [application/octet-stream] Saving to: “eicar_com.zip.20”

100%[=======================================================================================================================================================================================>] 184 --.-K/s in 0s

2015-01-16 07:37:28 (11.4 MB/s) - “eicar_com.zip.20” saved [184/184]

FINISHED --2015-01-16 07:37:28-- Downloaded: 1 files, 184 in 0s (11.4 MB/s)

 

ede_pfau wrote:

You should see the replacement page if downloading the eicar file via HTTP (*.txt, *.com, *.zip). But, by default HTTPS AV scanning is not enabled. So if you download from the lower row (using HTTPS) then only your OS based antivirus software will alert you (you do have local AV software, don't you?).

Warren_Olson_FTNT

Is it possible you haven't assigned the AV profile to the firewall policy, or better yet the traffic doesn't match that profile? Looking for simple answers since this is a very basic test...if you want to attach your policy for review please do.

pratik_patel

Hi,

 

I can confirm that I have attached AV profile to the firewall policy and same firewall policy is hit. I could also see generated traffic logs in the database. Below is the configuration for antivirus profile and attached is the traffic log information in csv format.

 

fw01 (root) # show antivirus profile DEFAULT
config antivirus profile
    edit "DEFAULT"
        set comment "DEFAULT"
        set inspection-mode proxy
        set scan-botnet-connections disable
            config http
                set options scan
            end
            config ftp
                set options scan
            end
            config imap
                set options scan
            end
            config pop3
                set options scan
            end
            config smtp
                set options scan
            end
            config mapi
                set options scan
            end
    next
end

 

 

 

 

Warren_Olson_FTNT wrote:

Is it possible you haven't assigned the AV profile to the firewall policy, or better yet the traffic doesn't match that profile? Looking for simple answers since this is a very basic test...if you want to attach your policy for review please do.

Christopher_McMullan

The log shows that the FGT recognized that the packet was "Not.Scanned".

 

Could you post the proxy options profile in place on the policy as well, and indicate if the policy also has a webfilter profile?

 

If the webfilter profile has a URL filter, I'm wondering if the list contains any exemptions.

 

show firewall policy x

show firewall profile-protocol-options default //--or the appropriate name here, in place of 'default'

Regards, Chris McMullan Fortinet Ottawa

pratik_patel

Yes, I could see that that packet is not scanned.

Policy has webfilter configured with blocked porn/security threat categories. URL and content filters are not configured.

 

Christopher McMullan_FTNT wrote:

The log shows that the FGT recognized that the packet was "Not.Scanned".

 

Could you post the proxy options profile in place on the policy as well, and indicate if the policy also has a webfilter profile?

 

If the webfilter profile has a URL filter, I'm wondering if the list contains any exemptions.

 

show firewall policy x

show firewall profile-protocol-options default //--or the appropriate name here, in place of 'default'

PaulM1114
New Contributor III

Did you check the file size compared to the configured oversized threshold size?

Labels
Top Kudoed Authors