Windows Updates downloads flagged as "Suspicious"

• All FortiGate units.

Most of the Windows updates make changes to your operating system files. It is for this reason that heuristic scanning flags these files them as suspicious.

There are two options available to allow for windows update downloads to occur. URL Filtering.

Modify AV heuristics

Change the operating mode for AV heuristic scanning to be scan and pass or turn it off entirely using the CLI. This is the default setting for Heuristic scanning as of MR 7.

config antivirus heuristic
set mode disable end

Of the two options, changing the operating mode of heuristic scanning to disable is recommended.

Enable web URL Filtering and configure the following entries to exempt the Windows downloads from being AV scanned.

To configure the URL filtering

1. Go to Web Filter > URL Filter.
2. Select Create New, or select an already available list.
3. Select Create New, to create an entry for each of the following exempt rules.
   
   • URL= .*update\.microsoft\.com.*
     Type= regex
     Action= exempt
   • URL= .*download\.windowsupdate\.com.*
     Type= regex
     Action =exempt
   • URL= .*\.microsoft\.com.*
     Type= regex
     Action =exempt