Course 201 – Administration, Content Inspection and SSL VPN Antivirus Antivirus 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Module Objectives By the end of this module participants will be able to: Identify the virus scanning techniques used on the FortiGate unit Identify the differences between file-based and flow-based virus scanning Configure quarantine options Define firewall policies using antivirus profiles Update FortiGuard Services 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Antivirus Antivirus Antivirus scanning detects and eliminates viruses, worms, trojans and spyware in real-time. The FortiGate unit stores a virus database that can identify thousands of individual viruses. Database updated when new threats are discovered Antispam operations stop threats before they enter the network. Scan incoming and outgoing SMTP, POP3, IMAP email, and all HTTP and FTP traffic 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Antivirus Antivirus Detect and eliminate viruses, worms, trojans and spyware in real-time Stop threats before they enter the network Scans HTTP and FTP traffic as well as incoming and outgoing SMTP, POP3 and IMAP email Internet Content Adaption Protocol (ICAP) support FortiGate acts as ICAP client to communicate with ICAP servers that the FortiGate unit can utilize for offloading AV scanning services First enable in Settings, then configure under UTM Profiles > ICAP 01-4310-0201-RTOL-20110729
Antivirus Scanning Order Course 201 – Administration, Content Inspection and SSL VPN Antivirus Antivirus Scanning Order .jpg File size File Name pattern Virus scan File type Grayware Heuristics Specific order for antivirus operations on data coming into the FortiGate unit: File Size Block if file above specified threshold File Pattern Block file names patterns, for example *.exe Virus Scan Virus definitions kept up-to-date through FortiGuard Subscription Services File Type Analyze type, regardless of name For example, no executables even if renamed to txt Grayware Heuristics Detect virus-like behavior 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus File-Based scanning Antivirus proxy buffers the file as it arrives Once transmission complete, virus scanner examines the file Higher detection and accuracy rate The most thorough scan requires that the FortiGate unit have the whole file for the scanning procedure. The antivirus proxy buffers the file as it arrives. Once the transmission is complete, the virus scanner examines the file. If an infection is present a replacement message is sent to the destination If no infection is present it is sent to the destination During the buffering and scanning procedure the client must wait . File is released to the client only after it is scanned Client comforting feeds the client a trickle of data to prevent them from thinking the transfer has stalled FortiGate unit requires just one signature to detect any variation of a polymorphic virus Only the signature of the exposed file needs to be checked removing the need to manage a collection of signatures for each permutation of the virus Delivers a higher detection and accuracy rate The FortiGate unit has a limited amount of memory to buffer files for scanning. Files larger than a certain size do not fit within the memory buffer. Maximum size varies by model (default size is 10 MB) Files larger than the buffer are passed to the destination without scanning If allowing files that are too large to be scanned is an unacceptable security risk, use the oversize file/email setting to block files larger than the antivirus buffer FortiGate unit sends a replacement message for an oversized file or email attachment to the HTTP or email proxy client 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Flow-Based Scanning File is scanned on a packet-by-packet basis as it passes through the FortiGate unit Faster scanning, but lower accuracy rate Difficulty in catching virus variants Only available on certain models Flow-based scanning does not require the file to be buffered so it is scanned as it passes through the FortiGate unit packet by packet. Flow-based antivirus scanning uses the FortiGate IPS engine to examine network traffic without the need to buffer the file being checked. Flow-based scanning provides faster scanning but detects a smaller number of infections. Viruses in documents, packed files, and some archives are less likely to be detected because the scanner can only examine a small portion of the file at any moment Hackers, aware of the operation of flow-based scanners will deliberately compress or archive their malicious files or content to evade these scanners Flow-based techniques do offer marginal performance gains but these gains are often negated by having to match the stream of data against a large and ever swelling database of virus variants. Flow-based scanning can be enabled only on certain specific FortiGate models. A flow-based virus database is available through FortiGuard Subscription Services. 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Virus Scanning Regular Extended Extreme If the file passes the file pattern scan, the FortiGate applies virus scanning to it. The FortiGate unit uses virus definitions to detect the threats as the content passes through the device. The definitions are contained within databases that are refreshed every time the FortiGate unit receives an update form the FortiGuard Subscription Services. Virus Databases available for use on the FortiGate unit include: Regular virus database Most commonly seen viruses on the network “In the wild” Recent activity Extended virus database Enhanced security “Zoo” viruses Past activity Extreme The extreme AV database contains the most extensive list of virus signatures but because of its size it needs additional storage capacity which is not available across all models This database is therefore restricted to those platforms that have at least 512M of flash storage and 1G of main memory FG-200B, FG-620B, FG-1240B To configure through the CLI the following command can be used: config antivirus settings set default-db extreme Flow The flow-base database is a subset of the extreme database. Flow-based scans cannot detect polymorphic and packed-file viruses so these signatures are not included in the flow-base database. Note that flow-based scanning is not just another type of virus database but a different type of scanning config antivirus settings set default-db flow-based The default antivirus database is used for all antivirus scanning. If a particular policy or traffic type requires scanning using a different database you can override the default. Antivirus database overrides are applied to individual traffic types in an antivirus profile. The override will affect only the traffic types to which the override is applied for traffic handled by the firewall policy the antivirus profile is applied to. Antivirus database overrides can be set only using the CLI: config antivirus profile edit sample config http set avdb extended end In this example, the extended database will be used for HTTP traffic to any policy using the sample antivirus profile. Flow-based 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus FortiGuard Services Product FortiGuard Subscription Services Available FortiGate Antivirus Antispam Web filtering Intrusion Prevention System Application control Voice FortiAnalyzer Vulnerability Management Service FortiMail FortiDB Database Security Service FortiClient FortiWeb FortiWeb Security Service FortiScan The FortiGuard Antivirus service is available as part of the FortiGuard Subscription service. Keeps FortiGate, FortiMail and FortiClient devices updated with the latest antivirus definitions Available 24 X 7 Requires license Secure, high availability data centers The FortiGuard Antivirus services prevents both new and evolving viruses, spyware and malware. FortiGuard Antivirus Updates options: On-Demand Updates Update your antivirus service definitions at any time by clicking Update Now Automated Updates Based on a schedule that can be hourly, weekly or daily Push Updates Allow the FortiGuard Servers to push updates to your FortiGate device for fastest possible response to critical situations When a FortiGuard is configured to allow push updates it sends a setup message to the FortiGuard Distribution Network The next time new definitions are release, FortiGuard notifies all FortiGate units that are configured for push updates that a new update is available. Within 60 seconds of receiving a push update notice the FortiGate unit requests an update from the FortiGuard servers The FortiGate unit will receive updates sooner through Push updates then if the FortiGate unit receives only scheduled updates When the FortiGate unit receives a push notification it makes only one attempt to connect to the FortiGuard Distribution and download updates. For this reason schedules should be used in addition to push updates. If the FortiGuard Distribution network can only connect to the FortiGate unit through a NAT device, port forwarding must be configured on the NAT device and port forwarding information must be added to the push update configuration Manual updates If a connection to the FortiGuard Distribution Network is not available from the FortiGate device, the latest definition files can be downloaded from another computer and copied to the computer used to manage the FortiGate. You can then browse from the FortiGate unit to the definition file to perform the update. If a FortiManager device is used in the infrastructure it can be configured to behave as a FortiGuard Subscription Services Server. The FortiManager will be responsible for the download of updates and managed FortiGate devices will access updates from the FortiManager. The Use override server address setting will identify the location of the FortiManager device Click here to read more about FortiGuard Subscription Services 01-4310-0201-RTOL-20110729
Connecting to FortiGuard Servers Course 201 – Administration, Content Inspection and SSL VPN Antivirus Connecting to FortiGuard Servers service.fortiguard.net FortiGuard Server 1 DNS FortiGuard Server 2 1. The FortiGate unit submits a DNS A Record lookup for service.fortiguard.net. 2. The DNS server returns the IP address for service.fortiguard.net to the FortiGate unit. 3. The FortiGate unit submits an INIT message, license check and server list request to the service.fortiguard.net server. 4. The service.fortiguard.net server returns the service status and server list information to the FortiGate unit. 5. The FortiGate unit submits a query to the FortiGuard Server (for example, in what category is www.google.com?). 6. The FortiGuard Server returns the response to the query (for example, www.google.com is in the Search Engine category). 7. If no response is obtained from the first server within 2 seconds, the next FortiGuard Server in the server list is contacted. The next available FortiGuard server returns the response to the query. Click here to read more about updating FortiGuard Subscription Services 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Grayware Enable Grayware Detection Adware Browser helper objects Dialers Downloaders Games Hacker tools Hijackers Jokes Keyloggers NMT P2P Plugins Remote access tools Spyware Toolbars 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Grayware Enable Grayware Detection Adware Browser helper objects Dialers Downloaders Games Hacker tools Hijackers Jokes Keyloggers NMT P2P Plugins Remote access tools Spyware Toolbars When enabled the FortiGate unit will scan for grayware anytime it checks for viruses All grayware categories are filtered when detection is enabled 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Heuristics Scanning Virus-like attribute + Virus-like attribute + Virus-like attribute > Heuristic threshold After an incoming file has passed the Grayware scan, it is subject to the Heuristic scan. The FortiGate performs tests on the file to detect virus like behavior or known virus indicators. Heuristics looks at the construction of files for characteristics commonly found in viruses. As a file is examined, the virus-like attributes are totaled. If a threshold in the number of virus-like attributes is passed the file is marked as ‘suspicious’. Heuristic scanning may detect new viruses but may also produce some false positive results Heuristic scanning only examines Microsoft Windows executable files (Windows Portable Executable files), typically ending with an 'exe' extension. The default settings of FortiGate units have heuristics virus scanning enabled, but suspicious files are allowed to pass because of the possibility of false positives. Using CLI commands, you can disable heuristics entirely, or set suspicious files to be blocked or passed. Files marked as suspicious can be quarantined, and even automatically uploaded to the FortiGuard Center for analysis, depending on settings. CLI commands: config antivirus heuristic Set mode to pass, block or disable Enter pass to enable heuristic scanning but pass detected files to the recipient. Suspicious files are quarantined if quarantine is enabled. Enter block to enable heuristic scanning and block detected files. A replacement message is forwarded to the recipient. Blocked files are quarantined if quarantine is enabled. Enter disable to disable heuristic scanning. Suspicious files caught by the heuristic scan can be autosubmitted to FortiGuard Subscription Services for further analysis. Suspicious 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Heuristics Scanning Virus-like attribute FortiGate unit tests for virus-like behavior Virus-like attributes are totaled and if greater than a threshold, the file is marked as suspicious Use CLI command to block suspicious files Only examines Windows executable files Possibility of false positives + Virus-like attribute + Virus-like attribute > Heuristic threshold Suspicious 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Quarantine Local hard drive FortiGate units with a local disk can quarantine infected, suspicious or blocked files. When quarantining to a local disk the following can be defined: The maximum size of the file to quarantine The length of time to keep the quarantined file Whether to drop or overwrite files when the hard drive becomes full FortiGate units without a local disk can quarantine to a FortiAnalyzer unit. The maximum size of the file to quarantine can be specified Files are quarantined based on their protocol. Quarantined files can be autosubmitted to FortiGuard for further analysis. Information regarding quarantined files is displayed in the logs. FortiAnalyzer 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Quarantine Infected, blocked or suspicious files can be quarantined to the hard drive on the FortiGate unit or to the FortiAnalyzer device Files quarantined based on their protocol Information regarding quarantined files is displayed in the logs Local hard drive FortiAnalyzer 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Antivirus Profiles Antivirus profile: Class_Scan Firewall policy Antivirus operations are applied to traffic through antivirus profiles. Profiles in turn are applied to policies Any traffic being examined by the policy will have the antivirus operations applied to it. 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Antivirus Profiles Antivirus profile: Class_Scan Enable antivirus operations on a protocol-by-protocol basis in antivirus profile Profile in turn applied to firewall policy Any traffic being examined by the policy will have the antivirus operations applied to it Scanning of secure traffic available on certain models Firewall policy 01-4310-0201-RTOL-20110729 01-4310-0201-RTOL-20110729 18
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Labs Lab - Antivirus Scanning Enabling FortiGuard Subscriptions Services and updates Configuring Global Antivirus Settings Testing Virus Scanning for HTTP Inspecting HTTPS traffic Click here for step-by-step instructions on completing this lab 01-4310-0201-RTOL-20110729
Course 201 – Administration, Content Inspection and SSL VPN Antivirus Student Resources Click here to view the list of resources used in this module 01-4310-0201-RTOL-20110729