FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
opetr_FTNT
Staff
Staff
Article Id 195987
Description
This article describes how to proceed in the case where a virus has apparently passed through a FortiMail unit undetected, while an Eicar test file (http://www.eicar.org/85-0-Download.html) is detected correctly.

This problem could happen in the case where the signature for the virus that passed was not yet included in the Fortinet AV database, or where the most recent AV definition files have not been updated on the FortiMail.

Solution
When the problem is spotted, here are steps to follow:

1)  Get the infected file.

2) Verify on the FortiGuard Center web portal (
http://www.fortiguard.com/antivirus/virus_scanner.html) whether the virus is present in the latest AV database.

(a) If the file is reported as clean it means that FortiGuard does not yet have a signature for it.  You can submit the file directly to the Fortinet AV team on the same web page.  Note that the file will not be detected until the database is updated by the Fortinet AV team.

opetr_FD36344_tn_FMAIL-1.jpg

(b) If the file is reported as infected, then the next step is to check the version of the AV database that is installed on the FortiMail.

opetr_FD36344_tn_FMAIL-2.jpg

3) Take the 'Virus' option from the FortiGuard Center web portal (
http://www.fortiguard.com/antivirus/) and make a note of the latest AV datebase version.  For example, 25.063.
opetr_FD36344_tn_FMAIL-3.jpg

4) Verify that latest database is installed on the FortiMail.

opetr_FD36344_tn_FMAIL-4.jpg

5) If the unit does not have the latest definition then they can be downloaded by using the "Update Now" button.  It can take a few minutes to update the database, depending upon the network speed.

opetr_FD36344_tn_FMAIL-5.jpg

Configuration CLI

The same check can be done through CLI:

diag autoupdate versions
System Time:  2015-03-16 16:38:44 CET (Uptime: 31d 7h 4m)
AV Engine
---------
Version: 5.00152
Contract Expiry Date: Tue Oct  3 01:00:00 2017
Last Updated using manual update on Mon Apr 14 18:33:00 2014
Last Update Attempt: Mon Mar 16 16:03:33 2015
Result: No Updates

Virus Definitions
---------
Version: 25.00063 <<<<<
Contract Expiry Date: Tue Oct  3 01:00:00 2017
Last Updated using scheduled update on Mon Mar 16 16:03:33 2015
Last Update Attempt: Mon Mar 16 16:03:33 2015
Result: Updates Installed
<--output omitted -->


To update the databases run:

exec update av #update only AV databases

OR

exec update now #update all databases

Once the databases are up-to-date (and the FortiGuard Centre web portal page confirms that the file can be detected) the infected file should no longer pass. This can be verified by re-sending the infected file through the FortiMail.

If the problem persists create a support ticket and attach the following files:
* configuration backup
* output of 'diag autoupdate versions'
* infected file
* cross-search result for the mail that should be blocked by Antivirus check.  The steps to do this are explained in the FortiMail Admin Guide in the section 'Cross-searching log messages'.

Contributors