FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
By default Antivirus SMTP splice option is enabled (the default option is not visible in the Fortigate's configuration file). Further information on SMTP splice is available in the CLI guide (Volume 6) of the FortiGate v2.50 technical documentation.
This means that FortiGate scans the email and sends it at the same time to the mail server.
If the FortiGate AV finds a virus in the email, it sends an error message to the mail server to inform it not to deliver the mail.
This follows the RFC specifications.
Issue
What may happen if you are running a host-based AV server on the mail server:
This host-based AV sits between the Internet (so, the FortiGate unit) and the SMTP program on the server.
This host-based AV doesn't care that the delivery was refused by the FortiGate, it sits between the fortigate and the mail server, having one connection to each side (acting as a kind of transparent proxy, just like the fortigate AV does in fact).
What this host-based AV sees is that one of his AV signatures matched the file he received (sent by the FortiGate) and raises an alarm without taking care of the SMTP non-delivery order sent by the FortiGate.
This behaviour can be the same for a blocked file (based on pattern).
Solution
There is a simple way to change this behaviour: disable SMTP splice on the FortiGate unit using CLI. Enter:
set antivirus service SMTP splice disable
With this setting, the FortiGate unit buffers the entire file before it starts sending it to the mail server, so the host-based antivirus system doesn't see the file at all.
