Professional Documents
Culture Documents
Fortigate I: Antivirus and Conserve Mode
Fortigate I: Antivirus and Conserve Mode
FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: Wednesday, April 29, 2020
1
Objectives
• Categorize malware types and evasion techniques
• Detect and block malwares
o Identify order of scan
• Update antivirus database through FortiGuard services
• Differences between FortiGate inspection modes
• Choose between proxy-based and flow-based
antivirus scans
• Configure antivirus profile
• Search logs for antivirus events
• Check if FortiGate is in memory conserve mode
2
What is Malware?
• A category of software that has a detrimental effect, such as gaining access to
system, gathering sensitive information, corrupting the system or destroying data
• Viruses
o Self-replicating code that installs copies of themselves into other programs
• Often attached to an executable file
• Does not require user consent, or tricks user into giving permission
• Infects and spreads on its own
o Small in size
• Grayware
o Unwanted applications that are not classified as virus but can be annoying
and may cause security risks
• Spyware, Adware often bundled with shareware / free software
o Size varies
3
Malware Types and Behavior
Malware Types Behaviour
Trojans • Malicious program used to hack user computer to spy on user
activities to steal sensitive data, corrupt, and/or block access to data
• Can set up backdoor control mechanism
Worms • Spread to other hosts through network without user interactions
• Consumes resources (bandwidth, storage) using vulnerabilities on
the target computer
Spyware • Tracks browsing history and web site passwords without user
knowledge
Ransomware • Encrypts files and demands payment to unlock
Rootkit • Gets “root” or “Administrator” account access
• Has maximum permissions, so normal users may not be able to
detect it
Keylogger • Records passwords, bank accounts
Botnets • Compromises computer which acts as zombie for-hire botnet
• Target host can be used to send spam or Distributed DoS attacks
4
Evasion Techniques
• Encryption
o Payloadis encrypted and a decryption function that is included in the code is used before
executing
• Polymorphism
o Uses encryption keys or can changes the code when executing, but the function (definition)
of the code does not change
o Requires polymorphic engine in payload
• Metamorphism
o Rewrites its own code which looks totally different
with each infection
• Used to avoid pattern-recognition One species of ant, many shapes.
o Requires metamorphic engine in payload Source: http://en.wikipedia.org/wiki/Ant
5
Antivirus
What is Antivirus and How Does It Work?
Database of virus signatures to identify infections
• To detect a virus, the antivirus engine must match file with pattern (<signature>)
• Each vendor uses different detection engines & signatures
o MD5
o CRC
7
Antivirus Scanning Techniques
• Antivirus Scan
o Detect and eliminate malware in real-time Order of Scan
• Stop threats from spreading
o Preserve your public IP’s client reputation
• Grayware Scan 1 Antivirus
Antivirus Scan
Scan
o Antivirus actions apply
• Heuristics Scan Optional
Optional (must
(must be
be enabled
enabled in
in CLI)
CLI)
o Looks for virus-like code
• (Example: Modifies registry to restart 2 Grayware
Grayware Scan
Scan
itself after reboot)
o Counts virus-like attributes
o If greater than a threshold, file is suspicious 3 Heuristics
Heuristics Scan
Scan
o False positive possible
8
Sandboxing
• Can detect zero-day attacks with high certainty
o FortiGate uploads files to FortiCloud Sandbox / FortiSandbox appliance
• Must activate a FortiCloud account to use FortiCloud Sandbox
o File executed in an isolated environment (“sandbox”)
o Examines effects to detect new malware
o Can configure to receive new signature from System
System >> Cooperative
Cooperative Security
Security Fabric
Fabric
FortiCloud Sandbox / FortiSandbox appliance
Uploading
Uploading files
files and
and receiving
receiving new
new signatures
signatures is
is per
per antivirus
antivirus
profile
profile
9
Antivirus Signature Database
• System > FortiGuard
o Requires subscription to FortiGuard Antivirus
o Normal – Includes common recent attacks and is available on all models Extended
o Extended – Includes normal plus additional recent non-active viruses
o Extreme – Includes extended plus additional old dormant viruses Extreme
10
Mobile Malware Database
• Requires separate subscription
• Ensures protection against latest threats targeting mobile
platforms
o Apple IOS
o Android
11
FortiGate Inspection Modes
Proxy-based compared to Flow-based
13
FortiGate Inspection Modes
• Two types of scanning mode
o Flow-based
• Only supports flow-based profiles
o Proxy-based
• Supports proxy-based profiles
• Also supports flow-based profiles from CLI
• Supports more features – DNS Filter, Explicit Proxy, WAF….
• Per virtual domain (VDOM) setting
o Default mode is proxy
o Can toggle the mode from CLI or GUI config
config system
system settings
settings
• Global > System > VDOM
set
set inspection-mode {proxy
inspection-mode {proxy || flow}
flow}
end
end
14
Switching between Inspection modes
• Switching from Proxy to Flow
Proxy
Proxy to
to Flow
Flow
o Converts all proxy-based profiles to flow-based profiles
o Proxy specific settings are removed with warning
15
Antivirus Scanning Modes
Flow-based and Proxy-based
Proxy-based Scan
• Uses full antivirus database
• FortiGate buffers the whole file
o AV engine starts scanning once end of file is detected
• Files bigger than buffer size are not scanned – can configure to pass or block
o Packets are sent to the client after scan finishes– client must wait
o Highest perceived latency
• Displays block replacement immediately if virus is detected
17
Proxy-based Scan
Client Server
FortiGate
Initial Packet
Packet 2
Packet 3
Last Packet
AV Engine
Scanning
Initial Packet
AV
AV engine
engine starts
starts scanning
scanning
Packet 2
after
after the
the whole
whole file
file is
is buffered
buffered
Packet 3
Last Packet
18
Flow-based: Full Scan
• Uses full antivirus database
• FortiGate buffers the whole file, but transmits to client simultaneously
o IPS checks for the rule match
o When the last packet arrives, the AV engine starts the scanning
• Files bigger than buffer size are not scanned – can configure to pass or block
• Packets are not delayed by scan – except last packet
o Lower perceived latency
19
Flow-based: Full Scan
Client Server
FortiGate
Initial Packet
Packet 2
Packet 3
Last Packet
AV Engine
Scanning FortiGate
FortiGate buffers
buffers but
but
Last Packet transmits simultaneously,
transmits simultaneously,
AV
AV engine
engine starts
starts scanning
scanning
once
once whole file is buffered
whole file is buffered
20
Flow-based: Quick Scan
• Uses IPS engine and Server
FortiGate
embedded compact antivirus Client
database Compact AV
engine
o Faster,less memory usage as file
is not cached IPS Engine
Request sent
• But lower catching rate
Initial Packet
Packet 2
• Cannot send files to
Packet 3
FortiSandbox for inspection
• Advanced heuristics and mobile Packet 4
used
21
Antivirus Scanning Modes Comparison
22
Protocol Options – Large Files
• Large Files: Block or Not?
o Bigger than buffer cannot be scanned for viruses 00001010111010
Buffer in RAM Over
o Log if file is too large? (Default: No) 11011101011110
o Block if file is too large? (Default: No)
Applies
Applies to
to all
all protocols
protocols
config firewall profile-protocol-options
edit <profile_name>
set oversize-log {enable|disable} Per
Per protocol
protocol setting
setting
config <protocol_name>
set oversize-limit [1-<model_limit>]
set options oversize Setting
Setting ‘options’
‘options’toto ‘oversize’
‘oversize’
blocks
blocks large files bigger than
large files bigger than buffer
buffer
end
end
23
Protocol Options – Compressed Files
• Often, compression algorithms can be identified using header only
• Archives are unpacked and files/archives within are scanned
separately
o Nested archives are supported (default is 12 layers)
o Decompressed files have a separate oversize limit
• Password-protected archives cannot be decompressed
config firewall profile-protocol-options
edit <profile_name> Per
Per protocol
protocol setting
setting
config <protocol_name>
set uncompressed-oversize-limit [1-<model_limit>]
set uncompressed-nest-limit [1-200]
end
end
24
Detection Rate and File Size Limit – Relationship
25
Antivirus Scanning Flowchart
Buffer File
Action:
Yes Pass or
Oversize file
block
No
Compressed Yes
file
Uncompressed oversize
Yes
No
No
Virus scan
26
Configuring Antivirus
Configuring Antivirus Profile
Security Profiles > AntiVirus
• Flow-based profile • Proxy-based profile
Only
Only available
available in
in full
full flow-based
flow-based
28
Configuring Protocol Options
• Allow you to configure protocol options • Security Profiles > Proxy
o For
Options
proxy-based VDOM can be configured from
GUI and CLI
o For flow-based VDOM it can be configured from
CLI only
config firewall profile-protocol-options
edit <profile_name>
config <protocol_name>
• Can configure:
o Protocol port mappings
o Common options
o Web and email options
29
SSL/SSH Inspection Method
Certificate Inspection Full Inspection
30
Configuring SSL/SSH Inspection Profile
• Security Profiles > SSL/SSH Inspection
o Allows to choose inspection method
o Can configure to exempt from SSL inspection
31
Antivirus Block Page
• Like web filtering block page
o File name
o Virus name
o Web site host & URL
o Source & Destination IP
o Use name & group (if
authentication is enabled)
o Link to FortiGuard
Encyclopedia
32
Virus Statistics
• Dashboard > Advanced Threat Protection Statistics widget
• Shows statistics for
• Virus scan
• Sandbox
33
Logging and Monitoring
• Log & Report > AntiVirus
Link
Link to
to FortiGuard
FortiGuard
encyclopedia
encyclopedia
34
Memory Conserve Mode
Memory Conserve Mode
• FortiOS protects itself when memory usage is high
o Prevents using so much memory that the FortiGate becomes unresponsive
o Once usage is lower, FortiGate leaves conserve mode
• Two types:
o Kernel
o System
36
Kernel Conserve Mode Thresholds
• Actions:
• Proxies are bypassed
• FortiGate configuration cannot be changed
37
System Conserve Mode Thresholds
• Actions:
o Depends on the fail-open setting
38
Proxy Fail-Open Setting
• av-failopen governs FortiGate behavior for UTM-inspected
traffic while in system conserve mode
config system global
set av-failopen {idledrop | off | one-shot | pass}
end
39
System Memory Conserve Mode Diagnostics
# diagnose hardware sysinfo shm
Off == No
Off No system
system
conserve mode
conserve mode
SHM counter: 10316 on mem == system
on -- mem system
SHM allocated: 617643792 conserve
conserve mode
mode
SHM total: 1572380672
conserve mode: on - mem
system last entered: Fri Jun 3 10:16:39 2016
sys fd last entered: n/a
SHM FS total: 1607806976
SHM FS free: 990134272
SHM FS avail: 990134272
SHM FS alloc: 617672704
40
Memory Conserve Mode Event Logs
• System conserve mode:
type=event subtype=system level=critical devid=FGTxxxxxxx
vd=root msg="The system has entered system conserve mode"
logdesc="System entering conserve mode" free=242 sysconserve=on
total=2024 entermargin=242 exitmargin=364 service=worker
41
Fail-Open Session Setting
• Specifies the action if a proxy runs out of connections
config system global
set av-failopen-session {enable | disable}
42
Review
Types of malware
Heuristic, grayware and antivirus scans
Types of antivirus databases
Sandboxing
Proxy-based vs. flow-based scans
Scanning large / compressed files
Order of scans
How to scan encrypted traffic
Searching logs for antivirus events
Memory conserve mode
43