Inspection mode differences for Antivirus
This section identifies the behavioral differences between Antivirus operating in flow and proxy inspection.
Feature comparison between Antivirus inspection modes
The following table indicates which Antivirus features are supported by their designated scan modes.
| Part1 | Replacement Message | Content Disarm | Mobile Malware | Virus
Outbreak |
Sandbox Inspection | NAC Quar-
antine |
| Proxy | Yes | Yes | Yes | Yes | Yes | Yes |
| Flow Full Mode | Yes* | No | Yes | Yes | Yes | Yes |
| Flow Quick Mode | Yes* | No | No | No | Yes | Yes |
*IPS Engine caches the URL and a replacement message will be presented after the second attempt.
| Part 2 | Archive Blocking | Emulator | Client Com- Infection forting Quarantine | Heuristics | Treat
EXE as Virus |
| Proxy | Yes | Yes | Yes Yes (1) | Yes | Yes (2) |
| Flow Full Mode | Yes | Yes | No Yes (1) | Yes | Yes (2) |
| Flow Quick Mode | No | No | No No | No | No |
- Only available on FortiGate models with HDD or when FortiAnalyzer or FortiCloud is connected and enabled.
- Only applies to inspection on IMAP, POP3, SMTP, and MAPI protocols.
Protocol comparison between Antivirus inspection modes
The following table indicates which protocols can be inspected by the designated Antivirus scan modes.
| HTTP | FTP | IMAP | POP3 | SMTP | NNTP | MAPI | CIFS | |
| Proxy | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes* |
| Flow Full Mode | Yes | Yes | Yes | Yes | Yes | No | No | Yes |
| Flow Quick Mode | Yes | Yes | Yes | Yes | Yes | No | No | Yes |
* Proxy mode Antivirus inspection on CIFS protocol has the following limitations:
- Cannot detect infections within archive files l Cannot detect oversized files
- Will block special archive types by default l IPv6 is not supported yet (at the time of FOS v6.2.0 GA)
Other Antivirus differences between inspection modes
Flow Quick mode uses a separate pre-filtering database for malware detection as opposed to the full AV signature database that Flow Full and Proxy mode inspection use.
Proxy mode uses pre-scanning and stream-based scanning for HTTP traffic. This allows archive files that exceed the oversize limit to be uncompressed and scanned for infections.