Hi, I have attached Antivirus filter to the policy and trying to test if filter is applied correctly by downloading http://www.eicar.org/download/eicar_com.zip file but looks like the file is getting downloaded without any issue. Below is the sample configuration. I tried both, proxy and flow based configurations but no luck. I am using FG version 5.2.1. Please advice what could be the issue. I remember it was working with 5.0.x with same configuration.
config antivirus profile
edit "DEFAULT"
set comment "DEFAULT"
set inspection-mode proxy
set scan-botnet-connections disable
config http
set options scan
end
config ftp
set options scan
end
config imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
config mapi
set options scan
end
next
end
Doesnt catch it on mine either.. this is bad. Firefox and IE stop it but FG doesnt?
The forums seem like they aren't monitored by Fortinet. I'll open a case and report back. I'd be interested to know if anyone else has observed this behavior.. ? If others see the same issue it will give more urgency for the solution.
Found this. Doesn't make sense why it's under IPS. If you can test and respond with results that would be helpful. My browser timed out and nothing in any of the logs when I tested.
I haven't tested the eicar file myself with 5.2 but I never had any problems using it to confirm my AV settings with 5.0. Can you show the configuration for your firewall policy where you have the AV profile enabled? Be sure to confirm in the logs that the traffic is using the policy you expect it to!
I tested this on my FortiGate 100D running 5.2.2 and the file was blocked using the default AV profile. Are you sure you've applied the profile to the correct security policy?
Technical Writer, FortiOS
Let me know if there's anything you want to see added to the FortiGate Cookbook.
Hi,
I am found that the AV is not working on my FG200D in HA Active-Active mode. Even I can found the number with 2 devices showing the detected virus in HA config page, but it' tested that the attachment in mail which is infected with W32/Upatre.A!tr.dldr can still passing through my FG box to the email client. Below is the findings:
1/ Upload that attachment to Fortiguard website for scanning, it can detect W32/Upatre.A!tr.dldr
2/ Found the corresponding entries in AV log, it's saying that the zip file is infected, but the attachment is still with the mail!
What I don't understand is, the firewall seems can "detect" the virus, and even it's saying that it would be "deleted", but why the attachment is still there? And I would like to ask, where to find the option to quarantine the infected files? Thanks!!
Ben.
vmartin wrote:I tested this on my FortiGate 100D running 5.2.2 and the file was blocked using the default AV profile. Are you sure you've applied the profile to the correct security policy?
I know this post is old, but FYI I had this problem for hours last night. I enabled AV, Web Filter, DNS, and IPS on our 60E and just could not get it to work. I finally got it work only after rebooting the firewall. OS version 5.6. Hope this helps someone else.
Hi
Yes it is old post. I have same problem too. My OS version 5.6 and 90D. Even though I enabled the DLP and added filter blocking all services, all zips, exes,bats and rars. I can download eicar.zip file. But i do not want download this.
Please help me.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.