FortiGate I

Antivirus and Conserve Mode

FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: Wednesday, April 29, 2020
1
Objectives
• Categorize malware types and evasion techniques
• Detect and block malwares
o Identify order of scan
• Update antivirus database through FortiGuard services
• Differences between FortiGate inspection modes
• Choose between proxy-based and flow-based
antivirus scans
• Configure antivirus profile
• Search logs for antivirus events
• Check if FortiGate is in memory conserve mode
2
What is Malware?
• A category of software that has a detrimental effect, such as gaining access to
system, gathering sensitive information, corrupting the system or destroying data

• Viruses
o Self-replicating code that installs copies of themselves into other programs
• Often attached to an executable file
• Does not require user consent, or tricks user into giving permission
• Infects and spreads on its own
o Small in size
• Grayware
o Unwanted applications that are not classified as virus but can be annoying
and may cause security risks
• Spyware, Adware often bundled with shareware / free software
o Size varies

3
Malware Types and Behavior
Malware Types Behaviour
Trojans • Malicious program used to hack user computer to spy on user
activities to steal sensitive data, corrupt, and/or block access to data
• Can set up backdoor control mechanism
Worms • Spread to other hosts through network without user interactions
• Consumes resources (bandwidth, storage) using vulnerabilities on
the target computer
Spyware • Tracks browsing history and web site passwords without user
knowledge
Ransomware • Encrypts files and demands payment to unlock
Rootkit • Gets “root” or “Administrator” account access
• Has maximum permissions, so normal users may not be able to
detect it
Keylogger • Records passwords, bank accounts
Botnets • Compromises computer which acts as zombie for-hire botnet
• Target host can be used to send spam or Distributed DoS attacks

4
Evasion Techniques
• Encryption
o Payloadis encrypted and a decryption function that is included in the code is used before
executing
• Polymorphism
o Uses encryption keys or can changes the code when executing, but the function (definition)
of the code does not change
o Requires polymorphic engine in payload

• Metamorphism
o Rewrites its own code which looks totally different
with each infection
• Used to avoid pattern-recognition One species of ant, many shapes.
o Requires metamorphic engine in payload Source: http://en.wikipedia.org/wiki/Ant

5
Antivirus
What is Antivirus and How Does It Work?
Database of virus signatures to identify infections

• Virus names: <vector>/<pattern>

o Example: W32/Kryptik.EMT!tr
• <vector> for a virus will always be the same, but vendors assign different IDs for <pattern>

• To detect a virus, the antivirus engine must match file with pattern (<signature>)
• Each vendor uses different detection engines & signatures
o MD5

o CRC

o Combinations of file attributes

o Binary values in some areas
o Encryption keys
o Parts of code

7
Antivirus Scanning Techniques
• Antivirus Scan
o Detect and eliminate malware in real-time Order of Scan
• Stop threats from spreading
o Preserve your public IP’s client reputation
• Grayware Scan 1 Antivirus
Antivirus Scan
Scan
o Antivirus actions apply
• Heuristics Scan Optional
Optional (must
(must be
be enabled
enabled in
in CLI)
CLI)
o Looks for virus-like code
• (Example: Modifies registry to restart 2 Grayware
Grayware Scan
Scan
itself after reboot)
o Counts virus-like attributes
o If greater than a threshold, file is suspicious 3 Heuristics
Heuristics Scan
Scan
o False positive possible

8
Sandboxing
• Can detect zero-day attacks with high certainty
o FortiGate uploads files to FortiCloud Sandbox / FortiSandbox appliance
• Must activate a FortiCloud account to use FortiCloud Sandbox
o File executed in an isolated environment (“sandbox”)
o Examines effects to detect new malware
o Can configure to receive new signature from System
System >> Cooperative
Cooperative Security
Security Fabric
Fabric
FortiCloud Sandbox / FortiSandbox appliance

Uploading
Uploading files
files and
and receiving
receiving new
new signatures
signatures is
is per
per antivirus
antivirus
profile
profile

9
Antivirus Signature Database
• System > FortiGuard
o Requires subscription to FortiGuard Antivirus

• Antivirus scanning engine relies on the antivirus signature database

• Choosing antivirus signature database (CLI only) Normal

o Normal – Includes common recent attacks and is available on all models Extended
o Extended – Includes normal plus additional recent non-active viruses
o Extreme – Includes extended plus additional old dormant viruses Extreme

10
Mobile Malware Database
• Requires separate subscription
• Ensures protection against latest threats targeting mobile
platforms
o Apple IOS
o Android

o Windows mobile devices

• Proactive threat intelligence library offers complete protection
against mobile threats
https://fortiguard.com/avmobilethreats

11
FortiGate Inspection Modes
Proxy-based compared to Flow-based

Proxy-based scanning Client FortiGate Server

• More thorough inspection – adds latency SYN

• Two TCP connections SYN-ACK

ACK
• From client to FortiGate acting as proxy server
SYN
• From FortiGate to server SYN-ACK
• Communication is terminated on Layer 4 ACK

Flow-based scanning Client FortiGate Server

• File is scanned on a TCP flow basis as it SYN

passes through FortiGate

SYN-ACK
• Faster scanning
ACK

13
FortiGate Inspection Modes
• Two types of scanning mode
o Flow-based
• Only supports flow-based profiles
o Proxy-based
• Supports proxy-based profiles
• Also supports flow-based profiles from CLI
• Supports more features – DNS Filter, Explicit Proxy, WAF….
• Per virtual domain (VDOM) setting
o Default mode is proxy
o Can toggle the mode from CLI or GUI config
config system
system settings
settings
• Global > System > VDOM
set
set inspection-mode {proxy
inspection-mode {proxy || flow}
flow}
end
end

14
Switching between Inspection modes
• Switching from Proxy to Flow
Proxy
Proxy to
to Flow
Flow
o Converts all proxy-based profiles to flow-based profiles
o Proxy specific settings are removed with warning

• Switching from Flow to Proxy

o Converts all flow-based profiles to proxy-based profiles
with default settings
o No warning message Flow
Flow to
to Proxy
Proxy

• Switching from proxy to flow back to proxy

o Will not produce original configuration
o Will use supported default configurations

15
Antivirus Scanning Modes
Flow-based and Proxy-based
Proxy-based Scan
• Uses full antivirus database
• FortiGate buffers the whole file
o AV engine starts scanning once end of file is detected
• Files bigger than buffer size are not scanned – can configure to pass or block
o Packets are sent to the client after scan finishes– client must wait
o Highest perceived latency
• Displays block replacement immediately if virus is detected

17
Proxy-based Scan
Client Server
FortiGate

Request sent Proxy

Initial Packet
Packet 2
Packet 3

Last Packet

AV Engine
Scanning
Initial Packet
AV
AV engine
engine starts
starts scanning
scanning
Packet 2
after
after the
the whole
whole file
file is
is buffered
buffered
Packet 3

Last Packet

18
Flow-based: Full Scan
• Uses full antivirus database
• FortiGate buffers the whole file, but transmits to client simultaneously
o IPS checks for the rule match
o When the last packet arrives, the AV engine starts the scanning
• Files bigger than buffer size are not scanned – can configure to pass or block
• Packets are not delayed by scan – except last packet
o Lower perceived latency

• If a virus is detected, last packet is dropped and the connection is

reset
o If identical request is made, block replacement page is inserted immediately

19
Flow-based: Full Scan
Client Server
FortiGate

Request sent IPS Engine

Initial Packet
Packet 2
Packet 3

Last Packet

AV Engine
Scanning FortiGate
FortiGate buffers
buffers but
but
Last Packet transmits simultaneously,
transmits simultaneously,
AV
AV engine
engine starts
starts scanning
scanning
once
once whole file is buffered
whole file is buffered

20
Flow-based: Quick Scan
• Uses IPS engine and Server
FortiGate
embedded compact antivirus Client

database Compact AV
engine
o Faster,less memory usage as file
is not cached IPS Engine
Request sent
• But lower catching rate
Initial Packet

Packet 2
• Cannot send files to
Packet 3
FortiSandbox for inspection
• Advanced heuristics and mobile Packet 4

malware package cannot be Final Packet

used
21
Antivirus Scanning Modes Comparison

Proxy Full Flow Quick Flow

Catching Rate Highest Highest High
Sandbox Support Yes Yes No
Advanced Heuristic Yes Yes No
Mobile malware package Yes Yes No
Memory usage High High Low
Perceived Latency Highest High Low
MAPI, NNTP Scanning Yes No No
SMB Scanning No Yes Yes
HTTP, FTP, IMAP, POP3, SMTP Scanning Yes Yes Yes

22
Protocol Options – Large Files
• Large Files: Block or Not?
o Bigger than buffer cannot be scanned for viruses 00001010111010
Buffer in RAM Over
o Log if file is too large? (Default: No) 11011101011110
o Block if file is too large? (Default: No)

Applies
Applies to
to all
all protocols
protocols
config firewall profile-protocol-options
edit <profile_name>
set oversize-log {enable|disable} Per
Per protocol
protocol setting
setting
config <protocol_name>
set oversize-limit [1-<model_limit>]
set options oversize Setting
Setting ‘options’
‘options’toto ‘oversize’
‘oversize’
blocks
blocks large files bigger than
large files bigger than buffer
buffer
end
end

23
Protocol Options – Compressed Files
• Often, compression algorithms can be identified using header only
• Archives are unpacked and files/archives within are scanned
separately
o Nested archives are supported (default is 12 layers)
o Decompressed files have a separate oversize limit
• Password-protected archives cannot be decompressed
config firewall profile-protocol-options
edit <profile_name> Per
Per protocol
protocol setting
setting
config <protocol_name>
set uncompressed-oversize-limit [1-<model_limit>]
set uncompressed-nest-limit [1-200]
end
end

24
Detection Rate and File Size Limit – Relationship

• Most malware is small

• Very large files require more RAM to scan completely
• Often, scanning only small files is an acceptable risk
o Default: 10 MB threshold for oversize
o Maximum size varies by model
  1MB 2MB 3MB 4MB 5MB 6MB 7MB 8MB 9MB 10MB ∞
exploit 99.83% 99.95% 99.97% 99.97% 99.98% 99.98% 99.99% 100% 100% 100% 100%
mass-mailer 99.62% 99.87% 100% 100% 100% 100% 100% 100% 100% 100% 100%
phish 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
spyware 95.08% 97.97% 98.88% 99.47% 99.76% 99.83% 99.89% 99.91% 99.94% 99.95% 100%
trojan 97.52% 99.24% 99.62% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.98% 100%
virus 98.27% 99.37% 99.63% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.99% 100%
worm 99.02% 99.65% 99.74% 99.86% 99.89% 99.92% 99.94% 99.94% 99.95% 99.96% 100%

25
Antivirus Scanning Flowchart

Buffer File

Action:
Yes Pass or
Oversize file
block
No

Compressed Yes
file
Uncompressed oversize
Yes

No
No
Virus scan

Grayware scan (if enabled)

Heuristic scan (if enabled)

26
Configuring Antivirus
 Configuring Antivirus Profile
Security Profiles > AntiVirus
• Flow-based profile • Proxy-based profile

Only
Only available
available in
in full
full flow-based
flow-based

28
Configuring Protocol Options
• Allow you to configure protocol options • Security Profiles > Proxy
o For
Options
proxy-based VDOM can be configured from
GUI and CLI
o For flow-based VDOM it can be configured from
CLI only
config firewall profile-protocol-options
edit <profile_name>
config <protocol_name>

• Can configure:
o Protocol port mappings
o Common options
o Web and email options

29
SSL/SSH Inspection Method
Certificate Inspection Full Inspection

Certificate inspection Certificate inspection

No content scanning Content scanning

(no decryption) (decryption)

30
Configuring SSL/SSH Inspection Profile
• Security Profiles > SSL/SSH Inspection
o Allows to choose inspection method
o Can configure to exempt from SSL inspection

31
Antivirus Block Page
• Like web filtering block page
o File name
o Virus name
o Web site host & URL
o Source & Destination IP
o Use name & group (if
authentication is enabled)
o Link to FortiGuard
Encyclopedia

32
Virus Statistics
• Dashboard > Advanced Threat Protection Statistics widget
• Shows statistics for
• Virus scan
• Sandbox

33
Logging and Monitoring
• Log & Report > AntiVirus

• Log & Report > Forward Traffic

Link
Link to
to FortiGuard
FortiGuard
encyclopedia
encyclopedia

34
Memory Conserve Mode
Memory Conserve Mode
• FortiOS protects itself when memory usage is high
o Prevents using so much memory that the FortiGate becomes unresponsive
o Once usage is lower, FortiGate leaves conserve mode
• Two types:
o Kernel

o System

36
Kernel Conserve Mode Thresholds

Total memory Enter margin Exit margin

< 1 GB Free < 20% Free > 30%
>= 1 GB Free <= 200 MB Free > 300 MB

• Actions:
• Proxies are bypassed
• FortiGate configuration cannot be changed

37
System Conserve Mode Thresholds

Total memory Enter margin Exit margin

<= 128 MB Free <= 5 MB Free > 10 MB
<= 256 MB Free <= 10 MB Free > 20 MB
< 512 MB Free <= 40 MB Free > 60 MB
<= 1 GB Free < 20% Free > 30%
> 1 GB Free < 12% Free > 18%

• Actions:
o Depends on the fail-open setting

38
Proxy Fail-Open Setting
• av-failopen governs FortiGate behavior for UTM-inspected
traffic while in system conserve mode
config system global
set av-failopen {idledrop | off | one-shot | pass}
end

• idledrop – Drops all idle proxy sessions

• off – All new sessions with UTM scanning enabled are not passed
• one-shot – Attempt UTM scanning on all new sessions
• pass(default) – All new sessions pass without inspection

39
 System Memory Conserve Mode Diagnostics
# diagnose hardware sysinfo shm
Off == No
Off No system
system
conserve mode
conserve mode
SHM counter: 10316 on mem == system
on -- mem system
SHM allocated: 617643792 conserve
conserve mode
mode
SHM total: 1572380672
conserve mode: on - mem
system last entered: Fri Jun 3 10:16:39 2016
sys fd last entered: n/a
SHM FS total: 1607806976
SHM FS free: 990134272
SHM FS avail: 990134272
SHM FS alloc: 617672704

40
Memory Conserve Mode Event Logs
• System conserve mode:
type=event subtype=system level=critical devid=FGTxxxxxxx
vd=root msg="The system has entered system conserve mode"
logdesc="System entering conserve mode" free=242 sysconserve=on
total=2024 entermargin=242 exitmargin=364 service=worker

• Kernel conserve mode:

type=event subtype=system level=critical devid=FGTxxxxxxx
vd=root msg="Kernel enters conserve mode" logdesc="Kernel
enters conserve mode" conserve=on free="51131 pages" red="51200
pages" service=kernel

41
Fail-Open Session Setting
• Specifies the action if a proxy runs out of connections
config system global
set av-failopen-session {enable | disable}

o enable – Use behavior from av-failopen setting

o disable(default) – Block all new sessions

42
Review
 Types of malware
 Heuristic, grayware and antivirus scans
 Types of antivirus databases
 Sandboxing
 Proxy-based vs. flow-based scans
 Scanning large / compressed files
 Order of scans
 How to scan encrypted traffic
 Searching logs for antivirus events
 Memory conserve mode
43