Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: FortiMail Threat mitigation steps.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiMail Threat mitigation steps.
Hello Everyone,
I am concerned about how actually fortimail works means how using what deep inside architecture methods or steps a fortimail looks for a Spam or virus.
I am well known about how it will capture a spam using Fortiguard options but i if a threat or virus comes in an e-mail how will fortimail recognise that it is a virus or something like that??? I know it will use some heuristic feature and Forged IP and baeysian filtering and so on but what is the basic architecture of a fortimail packet capturing.
I have to present Fortimail in comparison with other products so rather than defining features i would like to know the key to how a fortimail scans a packet using what algorithms and methods. Because these features are in Mcafee, Proof Point and so on but tell me some points about how good Fortimail scans using what algo against other products.
I will be thankfull to all of you who will answer me.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Saqib Zafar [snip] but i if a threat or virus comes in an e-mail how will fortimail recognise that it is a virus or something like that??? I know it will use some heuristic feature and Forged IP and baeysian filtering and so on but what is the basic architecture of a fortimail packet capturing. I have to present Fortimail in comparison with other products so rather than defining features i would like to know the key to how a fortimail scans a packet using what algorithms and methods. Because these features are in Mcafee, Proof Point and so on but tell me some points about how good Fortimail scans using what algo against other products.For malware detection, there are multiple layers of protection: • The first line of defence is our FortiGuard IP Reputation DB. We know if we have seen spam/malware sent from specific sources recently so can block connections early in the process. • If the mail is accepted and not detected as spam, we will run the file through our AV Engine. This is based on AV Signatures which detect and block known malware and most of its variants (sometimes unknown). It is highly accurate with few false positives. This signature approach is backed by a sophisticated antivirus engine that can detect polymorphic malware. In fact, the signatures are quite intelligent. For example, one single signature can detect over 50,000 polymorphic viruses in some scenarios. • Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc) • For unknown malware, the next level is the Realtime sandbox malware analysis. This method emulates execution and detects and blocks malware based on a scoring system of known malicious behaviours or characteristics. This detects malware that doesn' t match a signature, but behaves similarly to known malware. Can be used to block or to flag suspicious files for further analysis. • Anything which is flagged suspicious can optionally be sent to a FortiSandbox Advanced Threat Detection Appliance http://www.fortinet.com/products/fortisandbox/ for further processing (FML 5.1 upward). Whilst this is happening, the email can be queued (FML 5.2 upwards). The FortiSandbox will open the file in a virtual OS environment, execute and monitor for malicious behaviour. The threat level is communicated back to the FortiMail which makes the decision whether to release or quarantine the mail In addition to these direct embedded malware methods, there are other methods which protect against linking to known malware including URL Filtering to block redirection to phishing, malware, adult, illegal content sites etc. I have kept the response specific to malware, however some of the methods you mention Forged IP, Baeysian etc are more related to anti-spam (however every AS method helps mitigate malware risk). If you require more information, let me know.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
basically AV engine will do the inspection for the email content if it is enabled. it is based on the signatures and it will help in virus detection.
Osama
Osama
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
• Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc)Carl can you expand on greyware scanning and where is that enable configured at AS or AV profiles? btw, A great response.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greyware scanning is configured under the AV Profile
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay thanks I found it. Now if any action that' s taken against greyware, what will show in the logs as what ?
fwiw; I didn' t find anything to helpful for 5.1 help about greyware scanning & we get very little AV detect in our emails so I never seen any logs entries that shows grewyare detection.
Thanks
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in the process of documenting a lot of this for a white paper on the various threat mitigation techniques and best practice config.
Will let you know once complete.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Carl, have you been able to complete the white paper yet? If not would you be able to share what you' ve got so far? We' re just gettings started with fortimail and any best practice tips you could share would be much appreciated.
Thanks!
Jeff Roback
Jeff Roback
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Jeff Roback Hi, Carl, have you been able to complete the white paper yet?Not yet. I am just completing the 5.2 release process (which incidentally adds a whole new range of threat mitigation techniques) and will get back on the case. I have just finished a new White Paper on FML Threat Mitigation using the new integration with FortiSandbox. This will be posted on the Whitepapers site later today.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, were you ever able to get this document together?
Thanks! Jeff
Jeff Roback
Jeff Roback
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Safetica DLP integrates with Fortinet 556 Views
- Fortimail/Fortinet/FortiGuard threat-list ingest 16124 Views
- Introducing FortiMail 6.2 15466 Views
- SMTP Authentication failure and mobile users... 1589 Views
- Fortimail to Fortisandbox by SYSLOG hitting... 2189 Views
Labels
-
FortiGate
8,341 -
FortiClient
1,686 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
532 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
392 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
28 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
WAN optimization
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1632 | |
| 1063 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.