AntiVirus
Content disarm and reconstruction for AntiVirus
Introduction
Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft documents and PDF (disarm) by removing active content such as hyperlinks, embedded media, javascript, macros, etc. from the office document files without affecting the integrity of it’s textual content (reconstruction).
This feature allows network admins to protect their users from malicious office document files.
Files processed by CDR can have the original copy quarantined on the FortiGate, allowing admins to observe them. These original copies can also be obtained in the event of a false positive.
Support and limitations
- CDR can only be performed on Microsoft Office Document and PDF files. l Local Disk CDR quarantine is only possible on FortiGate models that contain a hard disk.
- CDR is only supported on HTTP, SMTP, POP3, IMAP. l SMTP splice and client-comfort mode is not supported.
- CDR does not work on flow based inspection modes. l CDR can only work on files in .ZIP type archives.
Network topology example
Configuring the feature
In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus profile, set the quarantine location, and then fine tune the CDR detection parameters.
To enable CDR on your AntiVirus profile:
- Go to Security Profiles > AntiVirus.
- Enable the toggle for Content Disarm and Reconstruction under APT Protection Options.
To set a quarantine location:
- Go to Security Profiles > AntiVirus.
- Select a quarantine location from the available options, including Discard, File Quarantine, and FortiSandbox.
Discard | The default setting which discards the original document file. |
File Quarantine | Saves the original document file to disk (if possible) or a connected FortiAnalyzer based on the FortiGate’s log settings, visible through Config Global > Config Log FortiAnalyzerSetting. |
FortiSandbox | Saves the original document file to a connected FortiSandbox. |
To fine tune CDR detection parameters in the FortiGate CLI:
- Select which active content to detect/process:
- By default, all active office and PDF content types are enabled. To fine tune CDR to ignore certain content, you must disable that particular content parameter. The example below configures the CDR to ignore Microsoft Office macros.
FGT_PROXY (vdom1) # config antivirus profile
FGT_PROXY (profile) # edit av change table entry ‘av’
FGT_PROXY (av) # config content-disarm
FGT_PROXY (content-disarm) # set ? original-file-destination Destination to send original file if active content is removed.
office-macro Enable/disable stripping of macros in Microsoft Office documents. office-hylink Enable/disable stripping of hyperlinks in Microsoft Office documents. office-linked Enable/disable stripping of linked objects in Microsoft Office documents. office-embed Enable/disable stripping of embedded objects in Microsoft Office documents. office-dde Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents. |
|
office-action
Microsoft Office documents. |
Enable/disable stripping of PowerPoint action events in |
pdf-javacode documents. | Enable/disable stripping of JavaScript code in PDF |
pdf-embedfile documents. | Enable/disable stripping of embedded files in PDF |
pdf-hyperlink documents. | Enable/disable stripping of hyperlinks from PDF |
pdf-act-gotor access other PDF documents. | Enable/disable stripping of PDF document actions that |
pdf-act-launch launch other applications. | Enable/disable stripping of PDF document actions that |
pdf-act-sound play a sound. | Enable/disable stripping of PDF document actions that |
pdf-act-movie play a movie. | Enable/disable stripping of PDF document actions that |
pdf-act-java execute JavaScript code. | Enable/disable stripping of PDF document actions that |
pdf-act-form | Enable/disable stripping of PDF document actions that |
submit data to other targets.
cover-page Enable/disable inserting a cover page into the disarmed document. detect-only Enable/disable only detect disarmable files, do not alter content. |
FGT_PROXY (content-disarm) # set office-macro disable FGT_PROXY (content-disarm) #
- Detect but do not modify active content:
- By default, CDR will disarm any detected documents containing active content. To prevent CDR from disarming documents, you can set it to operate in detect-only mode. To do this, the option detect-only must be enabled.
FGT_PROXY (vdom1) # config antivirus profile
FGT_PROXY (profile) # edit av change table entry ‘av’ FGT_PROXY (av) # config content-disarm
FGT_PROXY (content-disarm) # set detect-only ?
disable Disable this Content Disarm and Reconstruction feature. enable Enable this Content Disarm and Reconstruction feature.
FGT_PROXY (content-disarm) # set detect-only enable FGT_PROXY (content-disarm) #
- Enabling/disabling the CDR cover page:
- By default, a cover page will be attached to the file’s content when the file has been processed by CDR. To disable the cover page, the paramater cover-page needs to be disabled.
FGT_PROXY (vdom1) # config antivirus profile
FGT_PROXY (profile) # edit av change table entry ‘av’
FGT_PROXY (av) # config content-disarm
FGT_PROXY (content-disarm) # set cover-page disable Disable this Content Disarm and Reconstruction feature. enable Enable this Content Disarm and Reconstruction feature.
FGT_PROXY (content-disarm) # set cover-page disable
FGT_PROXY (content-disarm) #
FortiGuard Outbreak Prevention for AntiVirus
Introduction
FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate’s AntiVirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard.
Those hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other thirdparty websites and services.
This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.
The concept of FortiGuard Outbreak Prevention is to detect zero-day malware in a collaborative approach.
Support and limitations
- FortiGuard Outbreak Prevention can be used in both proxy-based and flow-based policy inspections across all supported protocols.
- FortiGuard Outbreak Prevention does not support AV in quick scan mode. l FortiGate must be registered with a valid FortiGuard Outbreak Prevention license before this feature can be used.
Network topology example
Configuring the feature
In order for AntiVirus to work with an external block list, you must register the FortiGate with a FortiGuard Outbreak Prevention license and enable FortiGuard Outbreak Prevention in the AntiVirus profile.
To obtain/renew a FortiGuard AntiVirus license:
- See the following link for instructions on how to purchase or renew a FortiGuard Outbreak Prevention license:
https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-services-6-0
- Once the license has been activated, you can verify its status by going to Global > System > FortiGuard.
To enable FortiGuard Outbreak Prevention in the AntiVirus profile:
- Go to Security Profiles > AntiVirus.
- Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
- Select Apply.
Diagnostics and debugging
l Check if FortiGate has Outbreak Prevention license:
FGT_PROXY (global) # diagnose debug rating
Locale : english Service : Web-filter Status : Enable License : Contract Service : Antispam Status : Disable Service : Virus Outbreak Prevention Status : Enable License : Contract -=- Server List (Tue Feb 19 16:36:15 2019) -=- |
|||
IP Weight RTT Flags TZ
Updated Time |
Packets | Curr Lost Total Lost | |
192.168.100.185 -218 2 DI -8
19 16:35:55 2019 |
113 | 0 0 Tue Feb | |
l | Scanunit daemon showing Outbreak Prevention verdict: | ||
FGT_PROXY (vdom1) # diagnose debug application scanunit -1 Debug messages will be on for 30 minutes.
FGT_PROXY (vdom1) # diagnose debug enable |
FGT_PROXY (vdom1) # su 4739 job 1 open
su 4739 req vfid 1 id 1 ep 0 new request, size 313, policy id 1, policy type 0 su 4739 req vfid 1 id 1 ep 0 received; ack 1, data type: 0 su 4739 job 1 request info: su 4739 job 1 client 10.1.100.11:39412 server 172.16.200.44:80 su 4739 job 1 object_name ‘zhvo_test.com’ su 4739 file-typing NOT WANTED options 0x0 file_filter no su 4739 enable databases 0b (core mmdb extended) su 4739 job 1 begin http scan su 4739 scan file ‘zhvo_test.com’ bytes 68
su 4739 job 1 outbreak-prevention scan, level 0, filename ‘zhvo_test.com’ su 4739 scan result 0 su 4739 job 1 end http scan su 4739 job 1 inc pending tasks (1)
su 4739 not wanted for analytics: analytics submission is disabled (m 0 r 0) su 4739 job 1 suspend su 4739 outbreak-prevention recv error su 4739 ftgd avquery id 0 status 1
su 4739 job 1 outbreak-prevention infected entryid=0 su 4739 report AVQUERY infection priority 1
su 4739 insert infection AVQUERY SUCCEEDED loc (nil) off 0 sz 0 at index 0 total infections 1 error 0 su 4739 job 1 dec pending tasks 0 su 4739 job 1 send result su 4739 job 1 close su 4739 outbreak-prevention recv error
External malware blocklist for Antivirus
Introduction
External Malware Blocklist is a new feature introduced in FortiOS 6.2.0 which falls under the umbrella Outbreak Prevention.
This feature provides another means of supporting the AV Database by allowing users to add their own malware signatures in the form of MD5, SHA1, and SHA256 hashes.
This feature provides a mechanism for Antivirus to retrieve an external malware hash list from a remote server and polls the hash list every n minutes for updates.
Support and limitations
Malware detection using External Malware Blocklist can be used in both proxy-based and flow-based policy inspections.
Just like FortiGuard Outbreak Prevention, External Dynamic Block List is not supported in AV quick scan mode.
Using different types of hash simultaneously may slow down the performance of malware scanning. For this reason, users are recommended to only using one type of hash (either MD5, SHA1, or SHA256), not all three simultaneously.
Network topology example
Configuring the feature
To configure AntiVirus to work with External Block List:
- Creating the Malware Hash List
The malware hash list follows a strict format in order for its contents to be valid. Malware hash signatures entries must be separated into each line. A valid signature needs to follow the format below:
# MD5 Entry with hash description aa67243f746e5d76f68ec809355ec234 md5_sample1
# SHA1 Entry with hash description a57983cb39e25ab80d7d3dc05695dd0ee0e49766 sha1_sample2
# SHA256 Entry with hash description ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379 sha256_sample1
# Entry without hash description
0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521
# Invalid entries
7688499dc71b932feb126347289c0b8a_md5_sample2
7614e98badca10b5e2d08f8664c519b7a906fbd5180ea5d04a82fce9796a4b87sha256_sample3
- Configure External Malware Blocklist source:
Create new external source on Global > Security Fabric > Fabric Connectors page:
- Select Malware Hash:
Fill out the fields as shown below. URI should point to the malware hashlist on the remote server:
- Malware Hash source object is now created:
User can view entries inside the malware blocklist by clicking the View Entries button:
- Malware Has Threatfeed hash_list is shown.
- Enable External Malware Blocklist in Antivirus profile
Enable External Malware Blocklist on the AntiVirus profile and apply the change:
Antivirus is now ready to use external malware blocklist.
Diagnostics and debugging
Check if scanunit daemon has updated itself with the external hashes:
FGT_PROXY # config global
FGT_PROXY (global) # diagnose sys scanunit malware-list list
md5 ‘aa67243f746e5d76f68ec809355ec234’ profile ‘hash_list’ description ‘md5_sample1’ sha1 ‘a57983cb39e25ab80d7d3dc05695dd0ee0e49766’ profile ‘hash_list’ description ‘sha1_sample2’ sha256 ‘0289b0d967cb7b1fb1451339c7b9818a621903090e0020366ab415c549212521’ profile ‘hash_list’ description ”
sha256 ‘ae9bc0b4c5639d977d720e4271da06b50f7c60d1e2070e9c75cc59ab30e49379’ profile ‘hash_list’ description ‘sha256_sample1’