Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pratik_patel
New Contributor

Antivirus Filter does not seem to be working

Hi, I have attached Antivirus filter to the policy and trying to test if filter is applied correctly by downloading http://www.eicar.org/download/eicar_com.zip file but looks like the file is getting downloaded without any issue. Below is the sample configuration. I tried both, proxy and flow based configurations but no luck. I am using FG version 5.2.1. Please advice what could be the issue. I remember it was working with 5.0.x with same configuration.

 

config antivirus profile
edit "DEFAULT"
       set comment "DEFAULT"
       set inspection-mode proxy
       set scan-botnet-connections disable
       config http
            set options scan
       end
       config ftp
              set options scan
       end
       config imap
              set options scan
       end
       config pop3
              set options scan
       end
       config smtp
              set options scan
       end
       config mapi
              set options scan
       end
       next
end

8 REPLIES 8
Huey
New Contributor III

Doesnt catch it on mine either..  this is bad.  Firefox and IE stop it but FG doesnt?

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
Huey
New Contributor III

The forums seem like they aren't monitored by Fortinet.  I'll open a case and report back.  I'd be interested to know if anyone else has observed this behavior.. ?  If others see the same issue it will give more urgency for the solution.

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
Huey
New Contributor III

Found this.  Doesn't make sense why it's under IPS.  If you can test and respond with results that would be helpful.  My browser timed out and nothing in any of the logs when I tested.

 

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ips_chapter.152.39.... 

Layer8 Consulting

http://www.L8C.com

 

Layer8 Consulting http://www.L8C.com
FortiAdam
Contributor II

I haven't tested the eicar file myself with 5.2 but I never had any problems using it to confirm my AV settings with 5.0.  Can you show the configuration for your firewall policy where you have the AV profile enabled?  Be sure to confirm in the logs that the traffic is using the policy you expect it to!

vmartin_FTNT
Staff
Staff

I tested this on my FortiGate 100D running 5.2.2 and the file was blocked using the default AV profile. Are you sure you've applied the profile to the correct security policy?

Technical Writer, FortiOS

Let me know if there's anything you want to see added to the FortiGate Cookbook.

wcbenyip

Hi,

 

I am found that the AV is not working on my FG200D in HA Active-Active mode. Even I can found the number with 2 devices showing the detected virus in HA config page, but it' tested that the attachment in mail which is infected with W32/Upatre.A!tr.dldr can still passing through my FG box to the email client. Below is the findings:

 

1/ Upload that attachment to Fortiguard website for scanning, it can detect W32/Upatre.A!tr.dldr

2/ Found the corresponding entries in AV log, it's saying that the zip file is infected, but the attachment is still with the mail!

 

What I don't understand is, the firewall seems can "detect" the virus, and even it's saying that it would be "deleted", but why the attachment is still there? And I would like to ask, where to find the option to quarantine the infected files? Thanks!!

 

 

Ben.

 

 

vmartin wrote:

I tested this on my FortiGate 100D running 5.2.2 and the file was blocked using the default AV profile. Are you sure you've applied the profile to the correct security policy?

Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
Protect yourself~ http://www.secunia.com MBCS CEH FCNSA
mission_c

I know this post is old, but FYI I had this problem for hours last night. I enabled AV, Web Filter, DNS, and IPS on our 60E and just could not get it to work. I finally got it work only after rebooting the firewall. OS version 5.6. Hope this helps someone else.

BARLAY

Hi

 

Yes it is old post. I have same problem too. My OS version 5.6 and 90D. Even though I enabled the DLP and added filter blocking all services, all zips, exes,bats and rars. I can download eicar.zip file. But i do not want download this.

 

Please help me.

Labels
Top Kudoed Authors