Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Saqib_Zafar
New Contributor

FortiMail Threat mitigation steps.

Hello Everyone, I am concerned about how actually fortimail works means how using what deep inside architecture methods or steps a fortimail looks for a Spam or virus. I am well known about how it will capture a spam using Fortiguard options but i if a threat or virus comes in an e-mail how will fortimail recognise that it is a virus or something like that??? I know it will use some heuristic feature and Forged IP and baeysian filtering and so on but what is the basic architecture of a fortimail packet capturing. I have to present Fortimail in comparison with other products so rather than defining features i would like to know the key to how a fortimail scans a packet using what algorithms and methods. Because these features are in Mcafee, Proof Point and so on but tell me some points about how good Fortimail scans using what algo against other products. I will be thankfull to all of you who will answer me.
20 REPLIES 20
Carl_Windsor_FTNT

ORIGINAL: Saqib Zafar [snip] but i if a threat or virus comes in an e-mail how will fortimail recognise that it is a virus or something like that??? I know it will use some heuristic feature and Forged IP and baeysian filtering and so on but what is the basic architecture of a fortimail packet capturing. I have to present Fortimail in comparison with other products so rather than defining features i would like to know the key to how a fortimail scans a packet using what algorithms and methods. Because these features are in Mcafee, Proof Point and so on but tell me some points about how good Fortimail scans using what algo against other products.
For malware detection, there are multiple layers of protection: • The first line of defence is our FortiGuard IP Reputation DB. We know if we have seen spam/malware sent from specific sources recently so can block connections early in the process. • If the mail is accepted and not detected as spam, we will run the file through our AV Engine. This is based on AV Signatures which detect and block known malware and most of its variants (sometimes unknown). It is highly accurate with few false positives. This signature approach is backed by a sophisticated antivirus engine that can detect polymorphic malware. In fact, the signatures are quite intelligent. For example, one single signature can detect over 50,000 polymorphic viruses in some scenarios. • Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc) • For unknown malware, the next level is the Realtime sandbox malware analysis. This method emulates execution and detects and blocks malware based on a scoring system of known malicious behaviours or characteristics. This detects malware that doesn' t match a signature, but behaves similarly to known malware. Can be used to block or to flag suspicious files for further analysis. • Anything which is flagged suspicious can optionally be sent to a FortiSandbox Advanced Threat Detection Appliance http://www.fortinet.com/products/fortisandbox/ for further processing (FML 5.1 upward). Whilst this is happening, the email can be queued (FML 5.2 upwards). The FortiSandbox will open the file in a virtual OS environment, execute and monitor for malicious behaviour. The threat level is communicated back to the FortiMail which makes the decision whether to release or quarantine the mail In addition to these direct embedded malware methods, there are other methods which protect against linking to known malware including URL Filtering to block redirection to phishing, malware, adult, illegal content sites etc. I have kept the response specific to malware, however some of the methods you mention Forged IP, Baeysian etc are more related to anti-spam (however every AS method helps mitigate malware risk). If you require more information, let me know.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Osama_Shatnawi
New Contributor

basically AV engine will do the inspection for the email content if it is enabled. it is based on the signatures and it will help in virus detection.

Osama

Osama
emnoc
Esteemed Contributor III

• Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc)
Carl can you expand on greyware scanning and where is that enable configured at AS or AV profiles? btw, A great response.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Carl_Windsor_FTNT

Greyware scanning is configured under the AV Profile

Dr. Carl Windsor Field Chief Technology Officer Fortinet

emnoc
Esteemed Contributor III

Okay thanks I found it. Now if any action that' s taken against greyware, what will show in the logs as what ? fwiw; I didn' t find anything to helpful for 5.1 help about greyware scanning & we get very little AV detect in our emails so I never seen any logs entries that shows grewyare detection. Thanks

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Carl_Windsor_FTNT

I am in the process of documenting a lot of this for a white paper on the various threat mitigation techniques and best practice config. Will let you know once complete.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Jeff_Roback

Hi, Carl, have you been able to complete the white paper yet? If not would you be able to share what you' ve got so far? We' re just gettings started with fortimail and any best practice tips you could share would be much appreciated. Thanks!

Jeff Roback

Jeff Roback
Carl_Windsor_FTNT

ORIGINAL: Jeff Roback Hi, Carl, have you been able to complete the white paper yet?
Not yet. I am just completing the 5.2 release process (which incidentally adds a whole new range of threat mitigation techniques) and will get back on the case. I have just finished a new White Paper on FML Threat Mitigation using the new integration with FortiSandbox. This will be posted on the Whitepapers site later today.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

Jeff_Roback

Hi there, were you ever able to get this document together? 

 

Thanks! Jeff

 

Jeff Roback

Jeff Roback
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors