Professional Documents
Culture Documents
2
AntiVirus
Introduction
Content Disarm and Reconstruction (CDR) allows the FortiGate to sanitize Microsoft
documents and PDF (disarm) by removing active content such as hyperlinks, embedded
media, javascript, macros, etc. from the office document files without affecting the integrity
of it’s textual content (reconstruction).
This feature allows network admins to protect their users from malicious office document
files.
Files processed by CDR can have the original copy quarantined on the FortiGate, allowing
admins to observe them. These original copies can also be obtained in the event of a false
positive.
CDR can only be performed on Microsoft Office Document and PDF files. l Local Disk
CDR quarantine is only possible on FortiGate models that contain a hard disk.
CDR is only supported on HTTP, SMTP, POP3, IMAP. l SMTP splice and client-comfort
mode is not supported.
CDR does not work on flow based inspection modes. l CDR can only work on files
in .ZIP type archives.
In order to configure AntiVirus to work with CDR, you must enable CDR on your AntiVirus
profile, set the quarantine location, and then fine tune the CDR detection parameters.
Discard The default setting which discards the original document file.
Saves the original document file to disk (if possible) or a connected
File Quarantine FortiAnalyzer based on the FortiGate’s log settings, visible
through Config Global > Config Log FortiAnalyzerSetting.
Office documents.
Office documents.
office-dde Enable/disable stripping of Dynamic Data Exchange events in Microsoft Office documents.
office-action
Microsoft Office documents. Enable/disable stripping of PowerPoint action events in
FGT_PROXY (profile) # edit av change table entry ‘av’ FGT_PROXY (av) # config content-
disarm
disable Disable this Content Disarm and Reconstruction feature. enable Enable this
Content Disarm and Reconstruction feature.
FGT_PROXY (content-disarm) # set detect-only enable FGT_PROXY (content-disarm) #
FGT_PROXY (content-disarm) # set cover-page disable Disable this Content Disarm and
Reconstruction feature. enable Enable this Content Disarm and Reconstruction feature.
FGT_PROXY (content-disarm) #
Introduction
FortiGuard Outbreak Prevention was introduced in FortiOS 6.0.0 and allows the FortiGate’s
AntiVirus database to be subsidized with third-party malware hash signatures curated by
the FortiGuard.
Those hash signatures are obtained from external sources such as VirusTotal, Symantec,
Kaspersky, and other thirdparty websites and services.
This feature provides the mechanism for AntiVirus to query the FortiGuard with the hash of
a scanned file. If the FortiGuard returns a match from its many curated signature sources,
the scanned file is deemed to be malicious.
1. See the following link for instructions on how to purchase or renew a FortiGuard
Outbreak Prevention license:
https://video.fortinet.com/products/fortigate/6.0/how-to-purchase-or-renew-fortiguard-
services-6-0
2. Once the license has been activated, you can verify its status by going
to Global > System > FortiGuard.
1. Go to Security Profiles > AntiVirus.
2. Select the toggle to enable Use FortiGuard Outbreak Prevention Database.
3. Select Apply.