Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Block infected files?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on ‎10-05-2008 04:52 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Block infected files?
All,
I' m sure I' m missing something obvious here, but your help is genuinely appreciated. I am working with a Fortigate-50A, firmware 3.00-b0726(MR7).
In the Protection Profile I' ve set up, I am performing Virus Scan on HTTP traffic. One of my users recently was allowed to download an infected exe file despite the fact that the FortiGate identified it as infected. I would prefer not to block all exe files since both Microsoft and our desktop anti-virus vendor periodically distribute updates with an exe extension.
What am I missing? How can I tell the FortiGate 50A to block an infected file but allow clean files?
Once again, thanks for the help!
Chris
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
In the Protection Profile I' ve set up, I am performing Virus Scan on HTTP traffic. One of my users recently was allowed to download an infected exe file despite the fact that the FortiGate identified it as infected.could you post here the log message as printed by your FTG? " infected" really or ' suspicious' ?
What am I missing? How can I tell the FortiGate 50A to block an infected file but allow clean files?Maybe (until you provide more information) the protection profile was not applied to firewall policy that your user traffic matched, maybe another thing. could you post the out of CLI command " show firewall profile <name_profile_you' ve_configured>" ?
regards
/ Abel
regards
/ Abel
Not applicable
Created on ‎10-06-2008 07:07 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the log entry (technically it is the Alert message that is sent, but it should provide the same information).
Message meets Alert condition Virus/Worm detected: Suspicious Protocol: " http" Source IP: 192.168.XXX.XXX Destination IP: 216.240.134.208 Email Address From: " N/A" Email Address To: " N/A" http://www.fortinet.com/ve?vn=Suspicious 2008-10-06 21:04:47 device_id=FGT50A2906500337 log_id=0211060000 type=virus subtype=infected pri=notice vd=root policyid=1 serial=307353 user=" N/A" group=" N/A" src=192.168.XXX.XXX sport=49511 src_int=" internal" dst=216.240.134.208 dport=80 dst_int=" external" service=" http" status=passthrough file=" A9installer_77075603.exe" virus=" Suspicious" url=" http://onlineprivatescan.com/2009/download/trial/A9installer_77075603.exe" ref=" http://www.fortinet.com/ve?vn=Suspicious" msg=" File is infected."
Not applicable
Created on ‎10-06-2008 07:13 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And here is the profile:
config firewall profile edit " web" set httpoversizelimit 5 set ftpoversizelimit 5 set imapoversizelimit 5 set pop3oversizelimit 5 set smtpoversizelimit 5 set nntpoversizelimit 1 set log-ips enable set log-av-virus enable set log-av-block enable set log-web-content enable set log-web-url enable set ftp block scan splice set http block scan bannedword exemptword fortiguard-wf urlfilter set https urlfilter set imap block scan bannedword fragmail spamemailbwl spamfsip spamfssubmit spamfsurl spamhdrcheck spamipbwl spamraddrdns spamrbl set pop3 block scan bannedword fragmail spamemailbwl spamfsip spamfssubmit spamfsurl spamhdrcheck spamipbwl spamraddrdns spamrbl set smtp scan fragmail spamfssubmit splice set pop3-spamtagtype subject set filepattable 1 set weburlfiltertable 1 set spammheadertable 1 set spamrbltable 1 set spamiptrusttable 1 set nntp no-content-summary set ips-sensor-status enable set ips-sensor " all_default" unset im set p2p enable set bittorrent block set edonkey block set gnutella block set kazaa block set winny block set ftgd-wf-options http-err-detail rate-image-urls strict-blocking set ftgd-wf-https-options strict-blocking set ftgd-wf-allow 83 g03 g04 g06 g07 g08 g21 g22 c01 c02 c03 c04 c05 c06 set ftgd-wf-deny 1 2 3 4 5 6 57 58 59 60 61 62 g02 g05 next end
Not applicable
Created on ‎10-06-2008 07:18 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Clearly the Alert message says " Suspicious." The final portion of the Alert, msg=" File is infected," is what led me to the conclusion that the file was infected. It is entirely possible that I' m simply ignorant, in which case I' m happy to learn! 
Any enlightenment provided is appreciated.
Any enlightenment provided is appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
' Suspicious' indicates just that.
The AV engine of your FTG has a basic ' heuristic' feature; it' s basic in fortigates (not in fortimails) because it reacts to any windows executable files printing that label.
If you follow the link http://www.fortinet.com/ve?vn=Suspicious you could get some info about that.
In brief, you cannot ensure that' s an infected file or not; you would analyze ' A9installer_77075603.exe' file thereafter with some another tool.
Heuristics is enabled by default in AV config, with the action ' pass' .
You can modify its settings with CLI:
" config antivirus heuristic"
set mode {pass|block|disable} are the options.
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, ' Suspicious' indicates just that. The AV engine of your FTG has a basic ' heuristic' feature; it' s basic in fortigates (not in fortimails) because it reacts to any windows executable files printing that label. If you follow the link http://www.fortinet.com/ve?vn=Suspicious you could get some info about that. In brief, you cannot ensure that' s an infected file or not; you would analyze ' A9installer_77075603.exe' file thereafter with some another tool. Heuristics is enabled by default in AV config, with the action ' pass' . You can modify its settings with CLI: " config antivirus heuristic" set mode {pass|block|disable} are the options.Ok, so what would you recommend? Let it on and simply give me alerts, or simply turn it off. What do you do when do you have this kind of alerts? Another question: I have installed yesterday a FG60B with MR5, and playing in CLI i saw that grayware scanning was not enabled.....in MR6 is enabled or do Ive to manually enable it?
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
The most expensive and scarce resource for man is time, paradoxically,
it' s infinite.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so what would you recommend? Let it on and simply give me alerts, or simply turn it off. What do you do when do you have this kind of alerts?It depends on your traffic type; if you work with many windows executables and you' ve an excess of false positives, that is more a annoyance than a benefit. BTW, MR7 comes with ' heuristics' disabled by default. Personally, until Fortigates ' heuristics' doesn' t came with some capabilities like the FortiMail heuristics, i' ll turning it off . I' ll rely on another layers to protect the customer networks from executables.
Another question: I have installed yesterday a FG60B with MR5, and playing in CLI i saw that grayware scanning was not enabled.....in MR6 is enabled or do Ive to manually enable it?Grayware scanning is enabled in a protection profile when virus scan is enabled. You have to enable the selected categories. In MR7 it comes disabled by default too.
regards
/ Abel
regards
/ Abel
Not applicable
Created on ‎10-08-2008 07:09 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the information!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We also had trouble with our firewall letting these A9installer...exe files passthrough. I had to make sure the file limit size was set high enough to catch them (10MB should do it) and the other reasons they can passthrough is if you have different protection profiles enabled on the policy or do not have the File Filter settings clicked on in the protection profile you are using. You can see what policy ID you are using and then see what protection profile you have enabled on that policy. You also have to be sure that you have a file filter pattern setup on the protection profile - these are initially defined under the Antivirus section. You could also setup a file pattern to block a9*.* which may help as well as the *.exe.
By the way you do want to block these - this is a nasty fake AV program that can be installed very easily since it generates popups that users may be tricked into clicking on and that is all it takes to download and install.
Labels
-
FortiGate
10,491 -
FortiClient
2,128 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
557 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
124 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.