Windows file sharing (CIFS) flow-based antivirus scanning

FortiOS 5.0 now supports virus scanning of Windows file sharing traffic. This includes CIFS, SMB, and SAMBA traffic. This feature is applied by enabling SMB scanning in an antivirus profile and then adding this profile to a security policy that accepts CIFS traffic. CIFS virus scanning is available only through flow-based antivirus scanning.

FortiOS 5.0 flow-based virus scanning can detect the same number of viruses in CIFS/SMB/SAMBA traffic as it can for all supported content protocols.

Figure 5: Configuring CIFS/SMB/SAMBA virus scanning

Use the following command to enable CIFS/SMB/SAMBA virus scanning in an antivirus profile:

config antivirus profile

edit smb-profile

config smb

set options scan set avdb flow-based

end

Then add this antivirus profile to a security policy that accepts the traffic to be virus scanned. In the security policy the service can be set to ANY, SAMBA, or SMB.

config firewall policy edit 0 set service ANY … set utm-status enable set av-profile smb-profile

end

Note the following about CFIS/SMB/SAMBA virus scanning:

• Some newer version of SAMBA clients and SMB2 can spread one file across multiple sessions, preventing some viruses from being detected if this occurs.
• Enabling CIFS/SMB/SAMBA virus scanning can affect FortiGate performance.
• SMB2 is a new version of SMB that was first partially implemented in Windows Vista.
• Currently SMB2 is supported by Windows Vista or later, and partly supported by Samba 3.5 and fully support by Samba 3.6.
• The latest version of SMB2.2 will be introduced with Windows 8.
• Most clients still use SMB as default setting.

Advanced Persistent Threat (APT) protection

New advanced persistent threat (APT) protection features in FortiOS 5.0 include botnet protection, phishing protection, and zero-day threat protection using FortiGuard Analytics for sandboxing.

Botnet and phishing protection

In an antivirus profile you can configure the FortiGate unit to detect and block botnet connection attempts. This feature also blocks attempted access to phishing URLs.

The antivirus database includes a constantly updated database of known command and control (C&C) sites that Botnet clients attempt to connect too as well as a database of phishing URLs.

To enable Botnet and phishing protection in an antivirus profile select Block Connections to Botnet Servers. Botnet protection is available for proxy and flow-based antivirus profiles.

Figure 6: Adding Botnet and phishing protection.

FortiGuard Sandbox (in the cloud sandboxing, zero day threat analysis and submission)

In a Proxy Mode antivirus profile, enabling Send Files to FortiGuard Sandbox for Inspection to causes your FortiGate unit to upload files to FortiGuard where the file will be executed and the resulting behavior analyzed for risk. You have the choice of uploading all files or only the suspicious ones. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database. The next time your FortiGate unit updates its antivirus database it will have the new signature.

Currently, a file is considered suspicious if it does not contain a known virus and if it has some suspicious characteristics. The suspicious characteristics can change depending on the current threat climate and other factors. Fortinet optimizes how files are uploaded as required.

The FortiGuard Sandbox feature is available if you have a valid FortiCloud subscription. To verify whether or not a subscription is associated with your FortiGate go to System >

Dashboard > Status and check the License Information widget in the FortiCloud subsection.

Figure 7: Enabling FortiGuard Sandbox in an Antivirus Profile

On the FortiGate, there are two ways to verify that files are being uploaded to the FortiCloud Sandbox. The first is to go to System > Config > FortiSandbox. The window is for configuring whether or not the FortiGate unit is to use the FortiCloud Sandbox or a FortiSandbox Appliance but it also shows the statistics of files submitted to the Sandbox over the last seven days.

The second method is to got System > Dashboard > Status and view the Advanced Threat Protection Statistics dashboard widget. This widget will show essentially the same information.This widget is not one of the default ones so you will have to add it to the Dashboard.

Figure 8: Example Advanced Threat Protection Statistics widget showing Sandbox submissions

To view information relating to the Antivirus function from the FortiCloud side, go to System > Dashboard > Status and look at the License Information widget. In the FortiCloud subsection in the Account line, select the Launch Portal link. Once at the portal select the icon for the specific FortiGate that you view the information for.

Under the Logs & Archives tab of the menu bar you will find the UTM option. Once this option is selected, you will have the option of choosing AntiVirus. The site will display records within the designated time frame that refer to AntiVirus events recorded by the logs.

Figure 9: Example view of FortiCloud’s AntiVirus logs

In addition to the normal UTM logs, there is a new menu item in that top menu bar that appears when your FortiGate is configured to submit files to the FortiSandbox. This page on the site will

 

display more granular information on files with viruses that are submitted by your FortiGate unit.This information will include:

• Date and Time
• File Name
• User Name
• Service
• Source IP
• Destination IP
• Vdom
• Analysis
• URL

Testing your antivirus configuration

You have configured your FortiGate unit to stop viruses, but you’d like to confirm your settings are correct. Even if you have a real virus, it would be dangerous to use for this purpose. An incorrect configuration will allow the virus to infect your network.

To solve this problem, the European Institute of Computer Anti-virus Research has developed a test file that allows you to test your antivirus configuration. The EICAR test file is not a virus. It can not infect computers, nor can it spread or cause any damage. It’s a very small file that contains a sequence of characters. Your FortiGate unit recognizes the EICAR test file as a virus so you can safely test your FortiGate unit antivirus configuration.

Go to http://www.fortiguard.com/antivirus/eicartest.html to download the test file (eicar.com) or the test file in a ZIP archive (eicar.zip).

If the antivirus profile applied to the security policy that allows you access to the Web is configured to scan HTTP traffic for viruses, any attempt to download the test file will be blocked. This indicates that you are protected.

Antivirus examples

The following examples provide a sample antivirus configuration scenario for a fictitious company.

Configuring simple antivirus protection

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antivirus protection on a FortiGate unit located in a satellite office. The satellite office does not have an internal email server. To send and retrieve email, the employees connect to an external mail server.

Creating an antivirus profile

Most antivirus settings are configured in an antivirus profile. Antivirus profiles are selected in firewall policies. This way, you can create multiple antivirus profiles, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one antivirus profile.

To create an antivirus profile — web-based manager

1. Go to Security Profiles > AntiVirus > Profiles.
2. Select Create New.
3. In the Name field, enter basic_antivirus.
4. In the Comments field, enter Antivirus protection for web and email traffic.
5. Select the Virus Scan check boxes for the HTTP, IMAP, POP3, and SMTP traffic types.
6. Select OK to save the antivirus profile.

To create an antivirus profile — CLI config antivirus profile

edit basic_antivirus

set comment “Antivirus protection for web and email traffic” config http

set options scan end config imap

set options scan end config pop3

set options scan end config smtp

set options scan end

end

Selecting the antivirus profile in a security policy

An antivirus profile directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an antivirus profile is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the antivirus profile in a security policy — web-based manager

1. Go to Policy > Policy > Policy.
2. Create a new or edit a security policy.
3. Turn on Antivirus.
4. Select an antivirus profile.
5. Select OK to save the security policy.

To select the antivirus profile in a security policy — CLI config firewall policy

edit 1

set utm-status enable set profile-protocol-options default set av-profile basic_antivirus

end

HTTP, IMAP, POP3, and SMTP traffic handled by the security policy you modified will be scanned for viruses. A small office may have only one security policy configured. If you have multiple policies, consider enabling antivirus scanning for all of them.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!