- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiMail Threat mitigation steps.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiMail Threat mitigation steps.
Hello Everyone,
I am concerned about how actually fortimail works means how using what deep inside architecture methods or steps a fortimail looks for a Spam or virus.
I am well known about how it will capture a spam using Fortiguard options but i if a threat or virus comes in an e-mail how will fortimail recognise that it is a virus or something like that??? I know it will use some heuristic feature and Forged IP and baeysian filtering and so on but what is the basic architecture of a fortimail packet capturing.
I have to present Fortimail in comparison with other products so rather than defining features i would like to know the key to how a fortimail scans a packet using what algorithms and methods. Because these features are in Mcafee, Proof Point and so on but tell me some points about how good Fortimail scans using what algo against other products.
I will be thankfull to all of you who will answer me.
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Saqib Zafar [snip] but i if a threat or virus comes in an e-mail how will fortimail recognise that it is a virus or something like that??? I know it will use some heuristic feature and Forged IP and baeysian filtering and so on but what is the basic architecture of a fortimail packet capturing. I have to present Fortimail in comparison with other products so rather than defining features i would like to know the key to how a fortimail scans a packet using what algorithms and methods. Because these features are in Mcafee, Proof Point and so on but tell me some points about how good Fortimail scans using what algo against other products.For malware detection, there are multiple layers of protection: • The first line of defence is our FortiGuard IP Reputation DB. We know if we have seen spam/malware sent from specific sources recently so can block connections early in the process. • If the mail is accepted and not detected as spam, we will run the file through our AV Engine. This is based on AV Signatures which detect and block known malware and most of its variants (sometimes unknown). It is highly accurate with few false positives. This signature approach is backed by a sophisticated antivirus engine that can detect polymorphic malware. In fact, the signatures are quite intelligent. For example, one single signature can detect over 50,000 polymorphic viruses in some scenarios. • Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc) • For unknown malware, the next level is the Realtime sandbox malware analysis. This method emulates execution and detects and blocks malware based on a scoring system of known malicious behaviours or characteristics. This detects malware that doesn' t match a signature, but behaves similarly to known malware. Can be used to block or to flag suspicious files for further analysis. • Anything which is flagged suspicious can optionally be sent to a FortiSandbox Advanced Threat Detection Appliance http://www.fortinet.com/products/fortisandbox/ for further processing (FML 5.1 upward). Whilst this is happening, the email can be queued (FML 5.2 upwards). The FortiSandbox will open the file in a virtual OS environment, execute and monitor for malicious behaviour. The threat level is communicated back to the FortiMail which makes the decision whether to release or quarantine the mail In addition to these direct embedded malware methods, there are other methods which protect against linking to known malware including URL Filtering to block redirection to phishing, malware, adult, illegal content sites etc. I have kept the response specific to malware, however some of the methods you mention Forged IP, Baeysian etc are more related to anti-spam (however every AS method helps mitigate malware risk). If you require more information, let me know.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
basically AV engine will do the inspection for the email content if it is enabled. it is based on the signatures and it will help in virus detection.
Osama
Osama
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
• Optional Greyware scanning which detects files which may have a legitimate use but are commonly misused (Remote Access tools etc)Carl can you expand on greyware scanning and where is that enable configured at AS or AV profiles? btw, A great response.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greyware scanning is configured under the AV Profile
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay thanks I found it. Now if any action that' s taken against greyware, what will show in the logs as what ?
fwiw; I didn' t find anything to helpful for 5.1 help about greyware scanning & we get very little AV detect in our emails so I never seen any logs entries that shows grewyare detection.
Thanks
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am in the process of documenting a lot of this for a white paper on the various threat mitigation techniques and best practice config.
Will let you know once complete.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Carl, have you been able to complete the white paper yet? If not would you be able to share what you' ve got so far? We' re just gettings started with fortimail and any best practice tips you could share would be much appreciated.
Thanks!
Jeff Roback
Jeff Roback
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Jeff Roback Hi, Carl, have you been able to complete the white paper yet?Not yet. I am just completing the 5.2 release process (which incidentally adds a whole new range of threat mitigation techniques) and will get back on the case. I have just finished a new White Paper on FML Threat Mitigation using the new integration with FortiSandbox. This will be posted on the Whitepapers site later today.
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, were you ever able to get this document together?
Thanks! Jeff
Jeff Roback
Jeff Roback
Related Posts
- Safetica DLP integrates with Fortinet 337 Views
- Fortimail/Fortinet/FortiGuard threat-list ingest 15833 Views
- Introducing FortiMail 6.2 14616 Views
- SMTP Authentication failure and mobile users... 1449 Views
- Fortimail to Fortisandbox by SYSLOG hitting... 2094 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.