We using 100D, at last week , out of sudden the antivirus keep detecting unknown virus/botnet cause the firewall block all internet access, and we notice the antivirus keep updating the definition therefore we change the antivirus become monitor only, now the antivirus update running each 10 minutes but the antivirus still detecting unknown. Is there anyway to solve the issue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Currently I'm testing the solution suggested by the techical assistence via ticket.
The problem after 7hours seem solved but I 'll wait tomorrow to be 100% sure.
The problem was not a FortiOS bug, but the AV engine corrupted, it seemed not related to the FortiOS version.
The action taken were:
1- firmware upload via TFTP
2- AV engine update to v. 5.00163
3- configuration restore
4- connect to WAN
Important is NOT to reconnect or restore before step 2.
If in cluster operations must be done without letting nodes see each other.
Will post tomorrow after some other email traffic.
Hope this helps.
Z.
FortiAdam wrote:Reading this thread makes me really nervous about upgrading to 5.2. For those of you who opened a ticket with Fortinet, are they giving you any confirmation of a bug or an idea of how to fix it?
zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027
Thanks. How do you do exactly to upgrade just the AV engine?
Hi Marcelo,
AV Engine update is made through GUI as a manual AV definition update (System->Config->Fortiguard->Av Definition Update)
where a ".pkg" file must be uploaded.
The .pkg file may vary by FortiOS version and model. As the use of incorrect file version can cause serious issues, it is better to request the file to technical assistance.
In my case the problem has been solved.
Regards.
Z.
marcelo_malara wrote:Thanks. How do you do exactly to upgrade just the AV engine?
zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027
Updating to version 5.2.3 fixed the problem with the AV-Engine
I have this problem with a newly installed cluster with 5.2.3 .
The problem arose exactly today. Everything has worked fine for a week.
No config changes made in the meantime
New Update:
It seems this fake alert is fired ONLY from the slave unit (I have a A-A Cluster).
I had this issue too.
FG200G v5.2.3
Here is timeline:
- switch from active-passive to active-active at 7am, everything worked well.
- at 12:48pm AV database gets corrupt on unit2. users start getting virus messages that block most web connections through unit2.
- ran update-now command. problem appears fixed.
- created support ticket, worked with support to upload fresh .pkg file just to make sure AV DB was in good shape.
- set weights back to even load for A-A cluster.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Yeah... that is exactly what happned to me: i switched from a-p to a-a and the problem arose after few days.
I am gonna try this solution waiting for the ticket to be solved or progressed.
Thanks for the reply, I will let you know
It's been on for two hours and it seems to work! :)
Hope it keeps working, thanks Paul S: you saved my day :)
The problem happened to me again today!! I just updated my support ticket!!
there is the error that shows in the crash log when the problem happens:
16373: 2015-06-25 09:23:07 scanunit=parent pid=22201: Using AV-fail-open engine 16374: 2015-06-25 09:23:21 <22201> scanunit=parent str="AV-Engine is corrupted or missing. Requesting 16375: 2015-06-25 09:23:21 update."
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
What is the versione of your AV engine?
it has been updated yesterday: 5.00164 (Updated 2015-06-25 via Manual Update)
digimetrica wrote:AV Definitions26.00294 (Updated 2015-06-26 via Scheduled Update) [link=https://forti-int/system/status/virusupdate][Update][/link] AV Engine5.00164 (Updated 2015-06-24 via Manual Update)What is the versione of your AV engine?
it has been updated yesterday: 5.00164 (Updated 2015-06-25 via Manual Update)
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.