What's the difference between "extended" and "extreme" AV databases on FortiGates?
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
The FortiGate AV scanning engine relies on virus definitions for some of its traditional analysis. These signatures are stored in AV databases. Depending on what model firewall is being used (and its respective system resources), there might be a few different options:
Normal- (This is now deprecated - check the bookmarks below)- Extended - This is the new default database.
- It contains information about "currently spreading viruses as determined by the FortiGuard Global Security Research Team".
- These would typically be viruses that have been active within the past year.
- Extreme - This is an optional larger database.
- It includes everything in the extended database plus a large collection of "zoo viruses" (viruses that are largely inactive)
- This is usually only available on high-end FortiGate models (e.g. 6000 series, 7000 series, virtual machines, etc).
- The reason for the platform restriction is due to resource requirements. Larger AV DB = more memory/CPU requirements to perform efficient scanning.
For more information, check out these resources:
Databases | Administration Guide
Antivirus uses extended DB by default
how and why FortiGate uses the Extended DB as its default antivirus DB. The Normal DB option is no longer supported. For FortiGate models that support Extreme DB, choose Extended DB or Extreme DB. Scope FortiGate. Solution When checking the antivirus extreme database through the command (di au…
skaneria
