Hi all,
We have 2 X 100D Hardware Appliances running firmware version 6.0.1 (build 0131 GA) in NAT (Flow-based) Mode (HA: Active-Passive).
Recently I have noticed that in the GUI under Log & Report > AntiVirus, there has been an upsurge in files being blocked by the FortiGates. As they are mostly .cab files originating from Microsoft I'm working on the assumption that they are related to clients laptops on our wireless network attempting to update via Windows Update.
No explanation is given in the logs, other than the file was blocked as it was "infected". We are not running deep inspection on our Internet traffic and as these were HTTP requests I don't think SSL/SSH Inspection is interfering here.
Could someone please shine a light on what the issue may be here and how I can resolve it?
Many thanks for your kind assistance.
Best regards,
John P
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'm seeing alert messages similar to what John is describing. Here is the email version:
Message meets Alert condition
Virus/Worm detected: Protocol: "HTTP" Source IP: 192.168.2.6
Destination IP: 205.185.216.42 Email Address From: Email Address
To: VIRUS REFERENCE URL:
date=2018-08-11 time=00:10:10 devname=gate devid=FGT60E4Q16081196 logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" eventtime=1533964210 msg="File is infected." action="blocked" service="HTTP" sessionid=9218949 srcip=192.168.2.6 dstip=205.185.216.42 srcport=61551 dstport=80 srcintf="Office LAN" srcintfrole="lan" dstintf="wan1" dstintfrole="wan" policyid=10 proto=6 direction="incoming" filename="26979962_4691678f40c
59e48a351077614b886df9327d506.cab" quarskip="File-was-not-quarantined." url="http://download.windowsupdate.com/c/msdownload/update/others/2018/07/26979962_4691678f40c59e48a35107..." profile="default" agent="Windows-Update-Agent/7.9.9600.18970" analyticscksum="9dba2305680792c5095394ae42986ee188391b3963aeef992a310c91a3826abb" analyticssubmit="false" crscore=50 crlevel="critical"
The log alerts appear to be on the same file and are repeating once per hour. Fortigate logs this with Virus Threat Score 50 (Critical). I've uploaded this URL/File to FortiGuard Labs online scanner, VirusTotal, Scanthis.net and Kaspersky; All indicate the file is clean.
I'm a bit hesitant to bypass the fortigate alert. Any recommendations?
Thanks,
Eric
Hi Eric,
Many thanks for your input. I have raised a ticket with Fortinet in regards to this issue and will post any further developments/solutions they suggest.
Best regards,
John P
Hi Eric,
Fortinet Support (thanks Paul) suggested an upgrade to v6.0.2. The release notes for this version mentioned a bug [ID 497371 - Flow-AV blocks Windows Updates (.cab files)] which has now been resolved. I assume there must have been an issue with the anti-virus scanning engine which created 'false-positives' on .cab file extensions.
I have now upgraded our appliances to v6.0.2 and will monitor the situation over the next few days to ensure the problem has been sorted.
Best regards,
John P
Which Antivirus are you using?
Hi Boone,
Our appliances are licensed to receive AntiVirus Updates from FortiGuard (currently using AV Definitions v61.00429).
I'm still seeing .cab files being blocked by our appliances. The reason for this has changed though. When on v6.0.1, the files were blocked as they were deemed "infected". Now, using v6.0.2, the reason has changed to "File reached uncompressed size limit".
My understanding of the AntiVirus scanning process led me to believe that any files over the default limit of 10MB could not be scanned and would be passed nevertheless without scanning. Therefore I cannot understand why these files are still being blocked.
I think I'm right in thinking that the scanning limit can be raised using the "config firewall profile-protocol-options > edit 'default' > config http > set uncompressed-oversize-limit" command in CLI. Currently it is set to the default value of 10. I can change this parameter if need be, but I'm still confused as to why the files are being blocked when they should be passed through as they are too big to scan.
I've passed on my findings to Fortinet support and will post any further developments.
Best regards
John P
@JohnP ... just upgraded form 6.0.1 to 6.0.2 and will be watching the logs.
Thanks.
Seeing the same problem with 6.0.2. My current workaround is a separate policy for windows updates that doesn't have the AV filter
Hi all,
Following a recommendation from Fortinet Support I performed a manual upgrade of the IPS Engine from version v4.00021 to v4.00022 (engine package supplied by Support Engineer).
I then triggered a Windows Update on a test laptop on our network which completed successfully. The .cab files are no longer shown as 'blocked' in the AntiVirus logs. They are now being shown as 'monitored'.
Fingers crossed this is a long term fix.
Best regards,
John P
Hi,
quite the same issue here (on 6.02 version).
I have noticed this: "File reached uncompressed size limit" error.
Unfortunately there not seems to be the parameter to be set in the policy like the old firmware version (that had the "set uncompfilelimit xx").
Another bad news on this very buggy version.
No solution for me for now (unless you do not turn off antivirus on that policy)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.