Scribd Logo
Upload

Welcome to Scribd!

  • 007antivirus 140122072955 Phpapp02 PDF

    Uploaded by

    Fernando Bringas Ch
    15 views11 pages

    Original Title

    007antivirus-140122072955-phpapp02.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views11 pages

    007antivirus 140122072955 Phpapp02 PDF

    Uploaded by

    Fernando Bringas Ch

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Antivirus
    Module 7

    2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
    1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C

    Module Objectives

    By the end of this module participants will be able to:


    Describe conserve mode conditions and AV system behavior
    Define the virus scanning techniques used on the FortiGate unit
    Identify the differences between file-based and flow-based virus scanning
    Configure quarantine options
    Define firewall policies using antivirus profiles
    Update FortiGuard Services

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Conserve Mode

    What is conserve mode?


    System self protection measure when facing local resource exhaustion
    When entering conserve mode the FortiGate unit activates protection measures in
    order to recover memory space
    Once enough memory is recovered, the system leaves the conserve mode state
    and releases the protection measures
    Two types: regular and kernel
    Search conserve mode at: http://kb.fortinet.com
    KB Article IDs: FD33103, 11076, 10209

    Conserve Mode

    Regular conserve mode is depletion of shared memory


    Used mainly by proxies (to store the buffered data) but also by buffers (logging,
    quarantining)
    Impact (configurable)
    Established sessions remain unchanged
    New sessions are not inspected
    Fail-open action applies to stream and proxy-based inspection

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    AV Fail-Open

    There are currently two conditions that can cause the FortiGate unit to
    operate in AV fail-open mode:
    The system is low on memory and has entered conserve mode
    The individual proxy pool is full (no free connections are available)

    With the first condition, low memory, the av-failopen setting will be
    applied
    The default for this setting is Pass

    AV Fail-Open

    The system enters conserve mode when the amount of free


    shared memory is less than approximately 20%
    Goes back to non-conserve mode when this value increases to
    approximately 30%
    Log entry details actual amount of memory

    config system global


    set av-failopen
    idledrop drop idle connections
    off off
    one-shot one-shot
    pass pass

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    AV Fail-Open

    The second condition occurs when the individual proxy pool


    is full (default disable)
    The action will depend on the av-failopen-session settings
    If the av-failopen-session is enabled and the free
    connections in the proxy connection pool reaches zero
    Protocol reverts back to the av-failopen settings
    If the av-failopen-session is disabled and the limit is
    reached, all sessions will be blocked for the proxy

    Antivirus

    Detect and eliminate viruses,


    worms, Trojans and spyware in
    real-time
    Antivirus
    Stop threats before they enter the
    network
    Scans HTTP and FTP traffic as well
    as incoming and outgoing SMTP,
    POP3 and IMAP email
    Internet Content Adaption Protocol
    (ICAP) support
    FortiGate unit acts as ICAP client to
    communicate with ICAP servers that
    the FortiGate unit can utilize for
    offloading AV scanning services
    First enable in Admin Settings, then
    configure under UTM Security
    Profiles > ICAP

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Antivirus Scanning Order

    .jpg

    File File Virus File Grayware Heuristics


    size Name scan type
    pattern

    Proxy-Based Scanning

    Antivirus proxy buffers the


    file as it arrives
    Once transmission is
    complete, virus scanner
    examines the file
    Higher detection and
    accuracy rate
    Comfort Clients can be used
    to avoid timeouts

    10

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Flow-Based Scanning

    File is scanned on a
    packet-by-packet basis as
    it passes through the
    FortiGate unit
    Faster scanning, but lower
    accuracy rate
    Difficulty in catching virus
    variants
    Only available on certain
    models
    Non-proxy scanning

    11

    Virus Scanning

    Regular

    Extended

    Extreme

    Flow-based

    12

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Unknown Viruses

    Sometimes a virus may go undetected because


    it is not in the signature database
    To submit a virus go to:
    http://www.fortiguard.com/antivirus/virus_scanner.html

    13

    Known Virus

    Sometimes viruses will get through because the


    proper antivirus scan options are not enabled
    FortiGuard Subscription Service contains information on
    which database a virus is in

    14

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Heuristics Scanning

    Virus-like attribute
    + Virus-like attribute
    + Virus-like attribute

    > Heuristic threshold

    FortiGate unit tests for virus-like behavior Suspicious


    Virus-like attributes are totaled and if greater
    than a threshold, the file is marked as
    suspicious
    Use CLI command to block suspicious files
    Possibility of false positives

    15

    Antivirus Profiles

    16

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    UTM Proxy Options

    17

    Quarantine

    Infected, blocked or
    suspicious files can be
    quarantined to the hard
    drive on the FortiGate
    unit or to the
    FortiAnalyzer device
    Files quarantined based
    on their protocol
    ? Local hard drive

    Information regarding
    quarantined files is
    displayed in the logs FortiAnalyzer

    18

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Logs

    19

    Labs

    Lab 1: Antivirus Scanning


    Ex 1: Antivirus Testing

    20

    01-50000-0201-20130215-C
    Course 201 - Administration, Content Inspection and VPNs Antivirus

    Classroom Lab Topology

    21

    01-50000-0201-20130215-C

    You might also like