In FortiOS, several AntiVirus (AV) scanning inspection modes available. Which modes are available depends on the firmware version. FortiOS 5.0 includes proxy and flow-based virus scanning. FortiOS 5.2 also uses proxy-based and flow-based scanning, but the flow-based mode in FortiOS 5.2 uses a new approach to flow-based scanning (that is sometimes called deepflow or deep flow scanning). FortiOS 5.4 adds another flow-based mode, quick mode, to inspect traffic efficiently. These modes are also available in FortiOS 5.6.
AV Scanning 101
AntiVirus scanning examines files in HTTP, HTTPS, email, and FTP traffic for threats as they pass through your FortiGate unit. If the AV scanner finds a threat such as a virus or some other malware, FortiOS protects your network by blocking the file.
FortiOS includes a number of AntiVirus features that make virus scanning more user-friendly. One of these features, called replacement messages, sends a customizable message to anyone whose file is blocked by AV scanning, to explain what happened and why. Other features make communication between the client and the server more seamless. The availability of these changes depending on the inspection mode.
Proxy-based AV scanning
Proxy-based AV scanning is the more feature-rich AV scanning mode. This mode uses a proxy to manage the communication between client and server. The proxy extracts content packets from the data stream as they arrive and buffers the content until the complete file is assembled. Once the file is whole, the AV scanner examines the file for threats. If no threats are found, the file is sent to its destination. If a threat is found, the file is blocked.
Because proxy-based scanning is applied to complete files it provides very effective threat detection. Proxy-based scanning also supports the a full range of features, including replacement messages and client comforting, making proxy-based scanning the most user-friendly inspection mode. In addition the proxy manages the communication between the client and the server, so communication is cleaner.
Proxy-based scanning inspects all files under the oversized threshold. This threshold is 10 MB by default but can be reconfigured. Any files larger than the threshold are considered oversized and not inspected.
Flow-based AV scanning
Although the name “flow-based scanning” is used in both FortiOS 5.0 and 5.2, the two different versions handle this mode in very different ways.
Flow AV in FortiOS 5.0
In FortiOS 5.0, flow-based AV scanning scans the content of individual data packets as they pass through the FortiGate. There is no proxy involved so packets are not changed by the proxy and files are not buffered for analysis. Potentially less memory and CPU resources are used, resulting in a potential performance increase compared to using proxy-based mode. FortiOS 5.0 flow-based AV scanning is also not limited by file size.
Flow AV uses the IPS engine and the AV database and is effective at many kinds of threat detection; however, because it can only analyze what is in an individual packet rather than a complete file, flow-based scanning cannot detect some types of malware, including polymorphic code. Malware in documents, compressed files, and some archives are also less likely to be detected.
Flow AV does not actually block files, it stops delivering the rest of the file once a threat has been detected. This means that parts of the file may already have been delivered when the threat has been detected and the recipient application is responsible for dealing with the partially complete content.
In addition flow AV can be less user-friendly. Replacement messages are not supported and clients may have to wait for sessions to time out without knowing why content has been blocked.
Flow AV in FortiOS 5.2 (deepflow or deep flow)
FortiOS 5.2 introduced a new type of flow-based AV scanning, that is sometimes called deepflow or deep flow, and that takes a hybrid approach where content packets are buffered while simultaneously being sent to their destination. When all of the files packets have been collected and buffered, but before the final packet is delivered, the buffered file is scanned. If a threat is found, the last packet is blocked and the client application has to deal with not getting the completed file. If no threat is found the final packet is sent and the user gets their file.
Deepflow AV scanning is as good as proxy-based AV scanning at detecting threats. There may be a small performance advantage over proxy-based AV as files get larger based on the difference between sending the whole file after analysis and just sending the last packet. Deepflow’s most notable limitation is that, just like the flow-based AV in 5.0, it does not support many of the user-friendly features provided by proxy-based AV.
Flow AV in FortiOS 5.4 and later
In FortiOS 5.4 and later, there are two modes available for flow-based inspection: full and quick. Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance.