Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khoo
New Contributor

antivirus keep detecting unknown virus/botnet

We using 100D, at last week , out of sudden the antivirus keep detecting unknown virus/botnet cause the firewall block all internet access, and we notice the antivirus keep updating the definition therefore we change the antivirus become monitor only, now the antivirus update running each 10 minutes but the antivirus still detecting unknown. Is there anyway to solve the issue?

33 REPLIES 33
zaskar

Currently I'm testing the solution suggested by the techical assistence via ticket.

The problem after 7hours seem solved but I 'll wait tomorrow to be 100% sure. 

 

The problem was not a FortiOS bug, but the AV engine corrupted, it seemed not related to the FortiOS version.

The action taken were:

1- firmware upload via TFTP

2- AV engine update to v. 5.00163

3- configuration restore

4- connect to WAN

Important is NOT to reconnect or restore before step 2.

If in cluster operations must be done without letting nodes see each other.

 

Will post tomorrow after some other email traffic.

 

Hope this helps. 

Z.

 

FortiAdam wrote:

Reading this thread makes me really nervous about upgrading to 5.2.  For those of you who opened a ticket with Fortinet, are they giving you any confirmation of a bug or an idea of how to fix it?

zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027

zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027
marcelo_malara
New Contributor

Thanks. How do you do exactly to upgrade just the AV engine?

zaskar

Hi Marcelo,

 

AV Engine update is made through GUI as a manual AV definition update (System->Config->Fortiguard->Av Definition Update)

where a ".pkg" file must be uploaded.

The .pkg file may vary by FortiOS version and model. As the use of incorrect file version can cause serious issues, it is better to request the file to technical assistance. 

 

In my case the problem has been solved.

 

Regards.

 

Z.

 

marcelo_malara wrote:

Thanks. How do you do exactly to upgrade just the AV engine?

zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027

zaskarThanks --------------------------------------------- Marco Scala Fortigate-200 2.80,build489,051027
Jeroen
Contributor

Updating to version 5.2.3 fixed the problem with the AV-Engine

digimetrica
New Contributor

I have this problem with a newly installed cluster with 5.2.3 .

The problem arose exactly today. Everything has worked fine for a week.

No config changes made in the meantime

New Update:

It seems this fake alert is fired ONLY from the slave unit (I have a A-A Cluster).

Paul_S
Contributor

I had this issue too.

FG200G  v5.2.3

 

Here is timeline:

- switch from active-passive to active-active at 7am, everything worked well.

- at 12:48pm AV database gets corrupt on unit2. users start getting virus messages that block most web connections through unit2.

- ran update-now command. problem appears fixed.

- created support ticket, worked with support to upload fresh .pkg file just to make sure AV DB was in good shape.

- set weights back to even load for A-A cluster.

 

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
digimetrica
New Contributor

Yeah... that is exactly what happned to me: i switched from a-p to a-a and the problem arose after few days.

I am gonna try this solution waiting for the ticket to be solved or progressed.

 

Thanks for the reply, I will let you know

 

 

It's been on for two hours and it seems to work! :)

Hope it keeps working, thanks Paul S: you saved my day :)

Paul_S
Contributor

The problem happened to me again today!! I just updated my support ticket!!

 

there is the error that shows in the crash log when the problem happens:

16373: 2015-06-25 09:23:07 scanunit=parent pid=22201: Using AV-fail-open engine 16374: 2015-06-25 09:23:21 <22201> scanunit=parent str="AV-Engine is corrupted or missing. Requesting 16375: 2015-06-25 09:23:21 update."

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
digimetrica
New Contributor

What is the versione of your AV engine?

 

it has been updated yesterday: 5.00164 (Updated 2015-06-25 via Manual Update)

Paul_S

digimetrica wrote:

What is the versione of your AV engine?

 

it has been updated yesterday: 5.00164 (Updated 2015-06-25 via Manual Update)

AV Definitions26.00294 (Updated 2015-06-26 via Scheduled Update) [link=https://forti-int/system/status/virusupdate][Update][/link] AV Engine5.00164 (Updated 2015-06-24 via Manual Update)

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Top Kudoed Authors