Created on 11-11-2004 12:00 AM Edited on 12-16-2021 08:49 AM
Article
Description
|
This article describes what to do if host-based antivirus software does not respond to the FortiGate AV "do not deliver" other. |
Components
|
|
FortiGate AV Behavior |
By default Antivirus SMTP splice option is enabled (the default option is not visible in the Fortigate's configuration file). This means that FortiGate scans the email and sends it at the same time to the mail server. If the FortiGate AV finds a virus in the email, it sends an error message to the mail server to inform it not to deliver the mail. This follows the RFC specifications. |
Issue |
What may happen if you are running a host-based AV server on the mail server: This host-based AV sits between the Internet (so, the FortiGate unit) and the SMTP program on the server. This host-based AV doesn't care that the delivery was refused by the FortiGate, it sits between the fortigate and the mail server, having one connection to each side (acting as a kind of transparent proxy, just like the fortigate AV does in fact). What this host-based AV sees is that one of his AV signatures matched the file he received (sent by the FortiGate) and raises an alarm without taking care of the SMTP non-delivery order sent by the FortiGate. This behaviour can be the same for a blocked file (based on pattern). |
Solution |
There is a simple way to change this behaviour: disable SMTP splice on the FortiGate unit using CLI. Enter: set antivirus service SMTP splice disable With this setting, the FortiGate unit buffers the entire file before it starts sending it to the mail server, so the host-based antivirus system doesn't see the file at all. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.