Hot!Exclude file from AV scanner

Author
theG
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/04/14 09:34:02
  • Location: South Africa
  • Status: offline
2014/09/09 02:02:22 (permalink)
0

Exclude file from AV scanner

Hi guys,

Is there a way to exclude certain files from being scanned by the FGT AV?


thanks
theG
#1

8 Replies Related Threads

    Christopher McMullan_FTNT
    Gold Member
    • Total Posts : 415
    • Scores: 34
    • Reward points: 0
    • Joined: 2014/09/08 08:00:33
    • Status: offline
    RE: Exclude file from AV scanner 2014/09/09 07:00:22 (permalink)
    0
    This is based on FortiOS v5.0, but the syntax looks the same in v5.2. It' s reasonably safe to assume the syntax reaches back into 4.3 and beyond.

    You can configure a blacklist or whitelist per-profile for AV, and apply it based on file pattern or file type:

    config antivirus profile
    edit <profile_name>
    set analytics-wl-filetype <filepattern_list_int>
    ...
    end

    config dlp filepattern
    edit <filepattern_list_int>
    set name <list_name_str>
    config entries
    edit <filepattern_str>
    set file-type ...
    set filter-type {pattern | type}
    end
    end

    File pattern means the file' s name. File type would require the FortiGate to try and determine what kind of file is being scanned based on its contents. In the case of file pattern, the name you give to the entry in quotation marks, i.e., edit " allowedfile.zip" will be what the FortiGate looks for.

    This is covered in pp. 58 and 77-78 in the CLI Reference Guide for OS 5.0.
    (http://docs.fortinet.com/uploaded/files/800/fortigate-cli-50.pdf)

    Regards,
    Chris McMullan
    Fortinet Ottawa
    #2
    AndreaSoliva
    Expert Member
    • Total Posts : 248
    • Scores: 74
    • Reward points: 0
    • Joined: 2014/02/10 05:41:00
    • Status: offline
    RE: Exclude file from AV scanner 2014/09/22 07:21:06 (permalink)
    0
    Hi

    this possibility is under 5.2.1 not anymore given event the command " config dlp filepattern" still exists. The command which was gone is " analytics-[wl | bl[-filetype" . From my point ov view is the command " config dlp filepattern" going to nirvana because the lists are not anymore useable within the dlp sensor!

    This is for 5.2.1 under 5.2.0 this was still possible!

    have fun

    Andrea
    #3
    Christopher McMullan_FTNT
    Gold Member
    • Total Posts : 415
    • Scores: 34
    • Reward points: 0
    • Joined: 2014/09/08 08:00:33
    • Status: offline
    RE: Exclude file from AV scanner 2014/09/22 14:13:33 (permalink)
    0
    I can confirm the command is still available to me on a FGT60C running 5.2.1.

    Could you show the CLI output from attempting to add a DLP filepattern as a WL to the A/V profile? Or a screenshot?

    Regards,
    Chris McMullan
    Fortinet Ottawa
    #4
    AndreaSoliva
    Expert Member
    • Total Posts : 248
    • Scores: 74
    • Reward points: 0
    • Joined: 2014/02/10 05:41:00
    • Status: offline
    RE: Exclude file from AV scanner 2014/09/24 01:19:58 (permalink)
    0
    Hi

    I have a 60D which is still configured or was with this function this means:

    config antivirus profile
    edit <profile_name>
    set analytics-wl-filetype <filepattern_list_int>
    ...
    end

    config dlp filepattern
    edit <filepattern_list_int>
    set name <list_name_str>
    config entries
    edit <filepattern_str>
    set file-type ...
    set filter-type {pattern | type}
    end
    end

    I upgraded to 5.2.1 and no I see the filepatterns which I created under 5.2.0 but under antivirus the command:

    set analytics-wl-filetype <filepattern_list_int>
    set analytics-bl-filetype <filepattern_list_int>

    is not anymore available. This the reason I told not anymore available. It can be a bug under 60D which would not wonder me!

    hope this helps

    have fun

    Andrea

    #5
    Christopher McMullan_FTNT
    Gold Member
    • Total Posts : 415
    • Scores: 34
    • Reward points: 0
    • Joined: 2014/09/08 08:00:33
    • Status: offline
    RE: Exclude file from AV scanner 2014/09/24 09:35:36 (permalink)
    0
    It looks like something specific to the 60D, you' re right. I can still see the option on my 60C.

    On the 60D it looks more tightly tied to ftgd-analytics than it had been before, since on my lab 60D running 5.2.1, the analytics-bl... options only appeared after specifying:
    set ftgd-analytics {suspicious | everything}.

    Regards,
    Chris McMullan
    Fortinet Ottawa
    #6
    AndreaSoliva
    Expert Member
    • Total Posts : 248
    • Scores: 74
    • Reward points: 0
    • Joined: 2014/02/10 05:41:00
    • Status: offline
    RE: Exclude file from AV scanner 2014/09/25 04:05:49 (permalink)
    0
    Hi

    many thanks for the hint...if I set " ftgd-analytics" so suspicious I see again the two options for bl and wl. It seems that within the upgrade there was something going wroing. From this point of view the options on the 60D are back.

    Again many thanks for the hint :-)

    have fun

    Andrea
    #7
    hklb
    Gold Member
    • Total Posts : 226
    • Scores: 25
    • Reward points: 0
    • Joined: 2014/06/10 15:00:59
    • Status: offline
    Re: RE: Exclude file from AV scanner 2017/03/15 08:17:09 (permalink)
    0
    Hi,
     
    It's an old topic, but I search how to whitelist an extension for AV scanning (all AV scanning).. Is this feature works or it's only for sandboxing ?
     
    The help showss :
    analytics-wl-filetype Do not submit files matching this file-pattern table to the FortiSandbox. 
    analytics-bl-filetype Only submit files matching this file-pattern table to the FortiSandbox.

     
    Lucas
     
    #8
    Mantiakapra
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/02/24 02:37:26
    • Status: offline
    Re: Exclude file from AV scanner 2018/08/09 20:08:50 (permalink)
    0
    Hello,
     
    Have FortiGate 100E with FortiOS 6.0.2 GA. But there is no command set file-type.
    Also have FortiWiFi 90D with 6.0.2 OS, and set file-type is correct comand. Where did we failed?
    Attach jpeg with output.
     
    Thanks,
    Anatoliy Kim

    Attached Image(s)

    #9
    Jump to:
    © 2018 APG vNext Commercial Version 5.5