Oversize function for the AntiVirus Scan threshold considerations

• All FortiGate units.
• FortiOS 2.80 and 3.0 up to MR6

To limit the in-memory file size that a FortiGate unit can scan, you can define the oversize threshold. If a file size is larger than this size threshold, the FortiGate unit will either pass or block the file.

You can set the threshold in the AntiVirus section of the Protection Profile by going to Firewall> Protection Profile.

HTTP compression (widely known as Content Encoding) is a method to compress original data. Based on the original data type, the compression ratio can be as much as 1/4 of its original size.

Considering that some files that are actually greater than the oversize threshold (yet far smaller when compressed and passed using Content-Encoding method, such as gzip, deflate or compress), the FortiGate unit calculates a threshold of 1/3 of the actual threshold defined to prevent such encoded files from getting through.

For such designed behavior, HTTP compressed (Content-Encoded) data may trigger an oversize action (pass or block) at a time when the FortiGate unit buffers 1/3 of the threshold data.

This behavior is currently under investigation for future releases.