4.3 Antivirus & Intrusion Prevention

The AntiVirus Profile

The AntiVirus (AV) profile scans files transferred through the FortiGate — over HTTP, HTTPS, FTP, SMTP, POP3, IMAP, and other protocols — and blocks files that match known malware. It is a security profile and, like the others, takes effect only when referenced by an ACCEPT firewall policy.

Flow-Based vs Proxy-Based Antivirus

AntiVirus runs in the inspection mode set for the VDOM:

• Flow-based AV scans the file as packets stream through using the IPS engine. It introduces minimal latency and is the default. It still detects known malware but cannot hold the complete file for some advanced actions.
• Proxy-based AV buffers the entire file before delivering it. Having the full file allows features such as content disarm and reconstruction (CDR), which strips active content (macros, embedded scripts) from documents, and richer replacement messages. The trade-off is added latency and memory use.

The FortiGuard AntiVirus Database

Detection relies on the FortiGuard antivirus database, delivered by the FortiGuard antivirus subscription service. FortiGuard pushes regular signature updates so the FortiGate recognizes current malware. Database options include the regular database, the extended database, and an extreme database for the broadest coverage. The AV engine also performs decompression of archives and can apply heuristics.

Grayware

Grayware is software that is not outright malicious but is unwanted or risky — adware, spyware, browser plugins, dialers, and similar nuisance programs. FortiOS treats grayware as a separate, optional detection category in the AV profile. Enabling grayware scanning lets the FortiGate flag or block these programs in addition to confirmed viruses; it is kept separate because some organizations tolerate certain grayware.

FortiSandbox Integration

Signatures only catch known threats. To address zero-day and previously unseen malware, the AV profile can integrate with FortiSandbox (an on-premises appliance or FortiSandbox Cloud). When the FortiGate encounters a suspicious or unknown file, it forwards a copy to FortiSandbox, which detonates the file in an isolated virtual environment and observes its behavior. If the file is judged malicious, FortiSandbox returns a verdict and a new signature, and the FortiGate can block future occurrences. The AV profile controls which files are submitted and whether the FortiGate holds the file while waiting for the verdict.

The Intrusion Prevention System (IPS)

While AntiVirus focuses on malicious files, the Intrusion Prevention System (IPS) focuses on malicious network activity — exploit attempts, buffer overflows, scans, brute-force attacks, command-and-control traffic, and protocol anomalies. IPS inspects traffic against attack signatures and acts before the attack reaches the target.

IPS Signatures

The FortiGuard IPS service maintains thousands of signatures, each describing a known attack or vulnerability exploitation pattern. Signatures carry attributes — severity, target (client or server), affected operating system, affected application, and protocol — which let administrators select large groups of signatures efficiently.

IPS Sensors

An IPS sensor is the configuration object attached to a firewall policy. A sensor is built from one or more signature filters plus optional individual signature entries. A filter selects signatures by attribute — for example, all signatures with severity High or Critical that target servers — and assigns an action to that whole group. This is more scalable than enabling thousands of signatures one by one. Sensors also support rate-based signatures that trigger only when an event count crosses a threshold, useful for detecting brute-force and flood attacks.

Protocol Decoders

IPS uses protocol decoders to parse traffic at the application layer before signature matching. A decoder understands the structure of a protocol — HTTP, DNS, SMB, SIP, and many others — so the IPS engine can locate the relevant fields and match signatures accurately, and can also detect protocol anomalies. Decoders can run a protocol on a non-standard port. Accurate decoding reduces false positives because signatures are compared against correctly parsed protocol data rather than raw bytes.

IPS Signature Actions

Each signature or signature filter in an IPS sensor is assigned an action that determines what the FortiGate does when the signature matches.

Pass vs Monitor is a classic exam point: both allow the traffic, but only Monitor generates a log. Pass is effectively "ignore this signature," while Monitor is "allow but record." Block and Reset both stop the traffic — Block drops packets, while Reset additionally sends a TCP reset to close the connection. Quarantine goes further by blocking the offending source IP for a set time.

Putting It Together

AntiVirus and IPS are complementary layers. AntiVirus inspects file content for malware and grayware and can escalate unknowns to FortiSandbox; IPS inspects live network behavior for exploit and attack patterns. Both:

• Attach to ACCEPT firewall policies as security profiles.
• Depend on SSL inspection to examine encrypted sessions — without full SSL inspection, malware and exploits inside HTTPS go unseen.
• Rely on FortiGuard subscription services for current signatures.

When designing protection for a policy, an administrator typically combines an AntiVirus profile, an IPS sensor, Web Filter, Application Control, and an SSL/SSH Inspection profile so that file-based, network-based, and web-based threats are all covered.