Scribd Logo
Upload

Welcome to Scribd!

  • Security Profiles - Antivirus - Fortios 6.2: Antivirus Content Disarm and Reconstruction For Antivirus

    Uploaded by

    jasjusr
    70 views5 pages
    sec pr

    Original Title

    Security Profiles

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    sec pr

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    70 views5 pages

    Security Profiles - Antivirus - Fortios 6.2: Antivirus Content Disarm and Reconstruction For Antivirus

    Uploaded by

    jasjusr
    sec pr

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Security Profiles – AntiVirus – FortiOS 6.

    2
    AntiVirus

    Content disarm and reconstruction for AntiVirus

    Introduction

    Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft
    documents and PDF (disarm) by removing active content such as hyperlinks, embedded
    media, javascript, macros, etc. from the office document files without affecting the integrity
    of it’s textual content (reconstruction).

    This feature allows network admins to protect their users from malicious office document
    files.

    Files processed by CDR can have the original copy quarantined on the FortiGate, allowing
    admins to observe them. These original copies can also be obtained in the event of a false
    positive.

    Support and limitations

     CDR can only be performed on Microsoft Office Document and PDF files. l Local Disk
    CDR quarantine is only possible on FortiGate models that contain a hard disk.
     CDR is only supported on HTTP, SMTP, POP3, IMAP. l SMTP splice and client-comfort
    mode is not supported.
     CDR does not work on flow based inspection modes. l CDR can only work on files
    in .ZIP type archives.

    Network topology example

    Configuring the feature

    In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus
    profile, set the quarantine location, and then fine tune the CDR detection parameters.

    To enable CDR on your AntiVirus profile:

    1. Go to Security Profiles  > AntiVirus.


    2. Enable the toggle for Content Disarm and Reconstruction  under APT Protection Options.

    To set a quarantine location:

    1. Go to Security Profiles  > AntiVirus.


    2. Select a quarantine location from the available options, including Discard, File
    Quarantine, and FortiSandbox.

    Discard The default setting which discards the original document file.
    Saves the original document file to disk (if possible) or a connected
    File Quarantine FortiAnalyzer based on the FortiGate’s log settings, visible
    through Config Global > Config Log FortiAnalyzerSetting.

    FortiSandbox Saves the original document file to a connected FortiSandbox.

    To fine tune CDR detection parameters in the FortiGate CLI:

     Select which active content to detect/process:


     By default, all active office and PDF content types are enabled. To fine tune CDR to
    ignore certain content, you must disable that particular content parameter. The
    example below configures the CDR to ignore Microsoft Office macros.

    FGT_PROXY (vdom1) # config antivirus profile

    FGT_PROXY (profile) # edit av change table entry ‘av’

    FGT_PROXY (av) # config content-disarm

    FGT_PROXY (content-disarm) # set ? original-file-destination       Destination to send original file if


    active content is removed.

    office-macro Enable/disable stripping of macros in Microsoft Office documents.

    office-hylink               Enable/disable stripping of hyperlinks in Microsoft

    Office documents.

    office-linked              Enable/disable stripping of linked objects in Microsoft

    Office documents.

    office-embed                Enable/disable stripping of embedded objects in

    Microsoft Office documents.

    office-dde   Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents.
    office-action
    Microsoft Office documents. Enable/disable stripping of PowerPoint action events in

    pdf-javacode documents. Enable/disable stripping of JavaScript code in PDF

    pdf-embedfile documents. Enable/disable stripping of embedded files in PDF

    pdf-hyperlink documents. Enable/disable stripping of hyperlinks from PDF

    pdf-act-gotor access other PDF


    Enable/disable stripping of PDF document actions that
    documents.

    pdf-act-launch launch other


    Enable/disable stripping of PDF document actions that
    applications.

    pdf-act-sound play a sound. Enable/disable stripping of PDF document actions that

    pdf-act-movie play a movie. Enable/disable stripping of PDF document actions that

    pdf-act-java execute JavaScript


    Enable/disable stripping of PDF document actions that
    code.

    pdf-act-form Enable/disable stripping of PDF document actions that

    submit data to other targets.


    cover-page   Enable/disable inserting a cover page into the disarmed document.

    detect-only  Enable/disable only detect disarmable files, do not alter content.

    FGT_PROXY (content-disarm) # set office-macro disable FGT_PROXY (content-disarm) #

     Detect but do not modify active content:


     By default, CDR will disarm any detected documents containing active content. To
    prevent CDR from disarming documents, you can set it to operate in detect-only
    mode. To do this, the option detect-only  must be enabled.

    FGT_PROXY (vdom1) # config antivirus profile

    FGT_PROXY (profile) # edit av change table entry ‘av’ FGT_PROXY (av) # config content-
    disarm

    FGT_PROXY (content-disarm) # set detect-only ?

    disable      Disable this Content Disarm and Reconstruction feature. enable Enable this
    Content Disarm and Reconstruction feature.
    FGT_PROXY (content-disarm) # set detect-only enable FGT_PROXY (content-disarm) #

     Enabling/disabling the CDR cover page:


     By default, a cover page will be attached to the file’s content when the file has been
    processed by CDR. To disable the cover page, the paramater cover-page needs to be
    disabled.

    FGT_PROXY (vdom1) # config antivirus profile

    FGT_PROXY (profile) # edit av change table entry ‘av’

    FGT_PROXY (av) # config content-disarm

    FGT_PROXY (content-disarm) # set cover-page disable  Disable this Content Disarm and
    Reconstruction feature. enable    Enable this Content Disarm and Reconstruction feature.

    FGT_PROXY (content-disarm) # set cover-page disable

    FGT_PROXY (content-disarm) #

    FortiGuard Outbreak Prevention for AntiVirus

    Introduction

    FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate’s
    AntiVirus database to be subsidized with third-party malware hash signatures curated by
    the FortiGuard.

    Those hash signatures are obtained from external sources such as VirusTotal, Symantec,
    Kaspersky, and other thirdparty websites and services.

    This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of
    a scanned file. If the FortiGuard returns a match from its many curated signature sources,
    the scanned file is deemed to be malicious.

    The concept of FortiGuard Outbreak Prevention is to detect zero-day malware in a


    collaborative approach.

    Support and limitations

     FortiGuard Outbreak Prevention can be used in both proxy-based and flow-based


    policy inspections across all supported protocols.
     FortiGuard Outbreak Prevention does not support AV in quick scan mode. l FortiGate
    must be registered with a valid FortiGuard Outbreak Prevention license before this
    feature can be used.

    Network topology example

    Configuring the feature


    In order for AntiVirus to work with an external block list, you must register the FortiGate
    with a FortiGuard Outbreak Prevention license and enable FortiGuard Outbreak Prevention
    in the AntiVirus profile.

    To obtain/renew a FortiGuard AntiVirus license:

    1. See the following link for instructions on how to purchase or renew a FortiGuard
    Outbreak Prevention license:

    https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-
    services-6-0

    2. Once the license has been activated, you can verify its status by going
    to Global  > System  > FortiGuard.

    To enable FortiGuard Outbreak Prevention in the AntiVirus profile:

    1. Go to Security Profiles > AntiVirus.
    2. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
    3. Select Apply.

    Diagnostics and debugging

    l Check if FortiGate has Outbreak Prevention lice

    You might also like