Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
ORIGINAL: Saqib Zafar [snip] but i if a threat or virus comes in an e-mail how will fortimail recognise that it is a virus or something like that??? I know it will use some heuristic feature and Forged IP and baeysian filtering and so on but what is the basic architecture of a fortimail packet capturing. I have to present Fortimail in comparison with other products so rather than defining features i would like to know the key to how a fortimail scans a packet using what algorithms and methods. Because these features are in Mcafee, Proof Point and so on but tell me some points about how good Fortimail scans using what algo against other products.For malware detection, there are multiple layers of protection: • The first line of defence is our FortiGuard IP Reputation DB. We know if we have seen spam/malware sent from specific sources recently so can block connections early in the process. • If the mail is accepted and not detected as spam, we will run the file through our AV Engine. This is based on AV Signatures which detect and block known malware and most of its variants (sometimes unknown). It is highly accurate with few false positives. This signature approach is backed by a sophisticated antivirus engine that can detect polymorphic malware. In fact, the signatures are quite intelligent. For example, one single signature can detect over 50,000 polymorphic viruses in some scenarios. • Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc) • For unknown malware, the next level is the Realtime sandbox malware analysis. This method emulates execution and detects and blocks malware based on a scoring system of known malicious behaviours or characteristics. This detects malware that doesn' t match a signature, but behaves similarly to known malware. Can be used to block or to flag suspicious files for further analysis. • Anything which is flagged suspicious can optionally be sent to a FortiSandbox Advanced Threat Detection Appliance http://www.fortinet.com/products/fortisandbox/ for further processing (FML 5.1 upward). Whilst this is happening, the email can be queued (FML 5.2 upwards). The FortiSandbox will open the file in a virtual OS environment, execute and monitor for malicious behaviour. The threat level is communicated back to the FortiMail which makes the decision whether to release or quarantine the mail In addition to these direct embedded malware methods, there are other methods which protect against linking to known malware including URL Filtering to block redirection to phishing, malware, adult, illegal content sites etc. I have kept the response specific to malware, however some of the methods you mention Forged IP, Baeysian etc are more related to anti-spam (however every AS method helps mitigate malware risk). If you require more information, let me know.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Osama
• Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc)Carl can you expand on greyware scanning and where is that enable configured at AS or AV profiles? btw, A great response.
PCNSE
NSE
StrongSwan
Dr. Carl Windsor Field Chief Technology Officer Fortinet
PCNSE
NSE
StrongSwan
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Jeff Roback
ORIGINAL: Jeff Roback Hi, Carl, have you been able to complete the white paper yet?Not yet. I am just completing the 5.2 release process (which incidentally adds a whole new range of threat mitigation techniques) and will get back on the case. I have just finished a new White Paper on FML Threat Mitigation using the new integration with FortiSandbox. This will be posted on the Whitepapers site later today.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Hi there, were you ever able to get this document together?
Thanks! Jeff
Jeff Roback
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.