Actually that is incorrect. It can be a function of AV. In proxy mode, the file size limit is 10MB uncompressed, or 12MB compressed (zip, rar, etc). The reason is that it takes significant CPU to process this file in proxy mode. You have various settings where you can change the defaults, but be aware that doing so may impact performance especially on smaller boxes, and most viruses are smaller in size so that there is a higher success rate of download without being noticed or interrupted. Increasing the size therefore may not result in much returned, just higher utilization of the system. You will see these options which are per protocol.. config antivirus service xxxx where xxxx is a specific protocol like the http example below. There' s about a dozen of these. config antivirus service " http" set uncompsizelimit 10 set uncompnestlimit 12 set scan-bzip2 disable end All that said, in FortiOS 5.2 there are significant enhancements to flow AntiVirus, and it is now as effective (or nearly so) as proxy mode. Flow mode takes far less resources and there is no size limit to files, and it doesn' t have to proxy the connection so less moving parts = less chance for things to go wrong. It' s a win/win, so I would recommend you check it out. If you keep proxy mode, you will get that kind of message each time the file size is too large to scan - namely because it was a logging requirement for many customers that we log whenever we cannot scan a file. You can safely ignore these or config your syslog / FAZ to ignore these messages. Cheers!

Where is the size limit for compressed files documented? The CLI Reference only states a size limit for uncompressed files which is depending on the amount of RAM built-in (i.e. model dependent). IIRC it is around 10%, so on a 60B with 256 MB RAM it' s 24 MB and on a 80C with 1 GB RAM it' s 139 MB (checked). IMHO there is no limit for compressed data - the FGT will unpack it and then apply the size limit for umcompressed data. And as mentioned in another post [link=] https://forum.fortinet.com/FindPost/111811 archives cannot be scanned in flow mode. You have to buffer the complete file in order to get the file directory and other internal metadata, and this is exactly what proxy mode does.

Hi Ede, As of FortiOS 5.2, flow mode can indeed scan archives and can buffer data. In another post I cited references and it has been confirmed internally. The two limits are uncompressed and uncompressed when nested, to correct what I put above.. not enough sleep on that one. The file size is relevant more to proxy mode, but the default of 10 MB uncompressed and 12 MB nested uncompressed means the compressed file would be smaller still than either value. As you correctly pointed out on the other post, almost all known malicious files are 3MB or less in size, so the existing limit is meant to go above that to ensure the greatest chance of detection in proxy mode. Cheers!