Technical Tip: FortiGate unit does not detect a virus in an infected file

This article describes what to do if the FortiGate unit does not detect a virus in an infected file. This can happen when a FortiGate unit with virus scanning enabled allows to receive a file from the Internet (for example, from a web page or attached to an email) but the PC antivirus software notifies that the file is infected with a virus.

• FortiOS 3.0, all versions

FortiGate virus scanning is not intended to replace desktop antivirus software. Ideally, the most effective virus scanning involves a layered approach.

The first layer should be a FortiGate unit that stops viruses before they enter the network The last layer should be the PC virus scanning software.

Note: FortiOS 3.0 virus scanning is not available for encrypted traffic including:

• HTTPS
• STARTTLS enabled SMTP
• Encrypted P2P traffic
• Other encrypted traffic not terminated by the FortiGate unit.

Future versions of FortiOS will support virus scanning of encrypted traffic for HTTPS, SMTPS, POP3S and IMAPS protocols. If running FortiOS 3.0, files downloaded using these encrypted protocols should be virus scanned by the PC virus scanning software.

If downloading a file using a non-encrypted protocol (for example during normal web browsing or in an unencrypted email) and the PC antivirus software finds a virus in it (but not the FortiGate unit) test the file to confirm if it is infected with a virus that the FortiGate should have detected.

Go to the FortiGuard Online Virus Scanner to test the infected file. The URL is:

http://www.fortiguardcenter.com/antivirus/virus_scanner.html

If the FortiGuard Online Virus Scanner detects a virus in the file, confirm that the FortiGate virus definitions are up to date by comparing the virus definitions (also called the virus database) version displayed on the FortiGate System Status page to what is displayed on the FortiGuard Center home page.

If the FortiGate virus definitions are out of date, then update the FortiGate unit to make sure to have the most recent definitions. Update the FortiGate virus definitions from the System Status page.

If the virus is not found by the FortiGuard Online Virus Scanner then submit the file to Fortinet after the scan is complete. Include as much information about the virus, including the name of the virus, the name of the virus scanning software that found the virus and any web pages that may have been found with information about the virus.

This information will help the FortiGuard Antivirus Signature Team to do the required investigation and create a new signature. If wish to receive a notification when the new signature has been added to the antivirus database include the email address when submitting the infected file.

If a virus sample is submitted to Fortinet Support, the Support Team can check the FortiGate unit to make sure that it is updating without error and can also verify that the antivirus software is detecting the correct virus. If the source for the virus can be identified the Support team can investigate that as well. If the virus is not detected by the latest FortiGate virus definitions, then Support will submit the file to the FortiGuard Online Virus Scanner with the contact information. The FortiGuard Antivirus Signature Team will contact the user when a new signature is ready.

Testing FortiGate virus scanning using an EICAR test file

Make sure that FortiGate virus scanning is functioning correctly by attempting to download an EICAR test file. Web sites with EICAR test files can be found using any search engine to search for eicar. When attempting to download an EICAR test file it should be blocked by the FortiGate unit.