FortiGuard outbreak prevention allows the FortiGate antivirus database to be subsidized with third-party malware hash signatures curated by the FortiGuard. The hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other third-party websites and services.
This feature provides the mechanism for antivirus to query the FortiGuard with the hash of a scanned file. If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be malicious.
In order for antivirus to work with an external block list, you must register the FortiGate with a FortiGuard outbreak prevention license and enable FortiGuard outbreak prevention in the antivirus profile.
Registration: Register your device and create an account online at: Enter the serial number of your Palo Alto Networks firewall and customer account number from your Order Summary. Entitlement will be verified and your Support Portal access will be available for online services. Once your account is created, you can either add additional users from your company or have your users self-register. You will be able to manage your firewalls by:
Create a case online (RECOMMENDED) at Include your Palo Alto Networks firewall serial number, problem description, severity, and attach relevant files and screenshots. When you submit your case, you will be offered a selection of articles, which may resolve your issue. If not, your case will be assigned to an engineer who will either contact you by phone or an email generated by comments added to your case. Your email replies will automatically append to the case. You may check the status of your case and provide comments at any time online.Call Support for Severity 1 (Network Down) issues. We recommend creating a case online and referring to the case number when calling. Please refer to Product Support phone numbers.
What happens when another non-Microsoft antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using Microsoft Defender for Endpoint together with your antivirus protection.
(1) On Windows Server, if you're running a non-Microsoft antivirus product, you can uninstall Microsoft Defender Antivirus to prevent conflict. If the device is onboarded to Microsoft Defender for Endpoint, you can use Microsoft Defender Antivirus in passive mode (see below).
(2) On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using a registry key as follows:
(3) On Windows Server 2016, Windows Server 2012 R2, Windows Server version 1803 or newer, Windows Server 2019, and Windows Server 2022, if you are using a non-Microsoft antivirus product on an endpoint that is not onboarded to Microsoft Defender for Endpoint, disable/uninstall Microsoft Defender Antivirus manually to prevent problems caused by having multiple antivirus products installed on a server.
Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. You can benefit from running Microsoft Defender Antivirus alongside another antivirus solution.
For example, Endpoint detection and response (EDR) in block mode provides added protection from malicious artifacts even if Microsoft Defender Antivirus is not the primary antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed and running in passive mode or active mode.
Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the wscsvc, SecurityHealthService, MsSense, Sense, WinDefend, or MsMpEng services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the Windows Security app.
In Defender for Endpoint, you can turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see EDR in block mode.
In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as in the Microsoft Endpoint Manager admin center or the Microsoft Defender Antivirus app on the endpoint).
In passive mode, Microsoft Defender Antivirus isn't used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. However, threats can be remediated by Endpoint detection and response (EDR) in block mode. Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
When Microsoft Defender Antivirus is in passive mode, you can still manage updates for Microsoft Defender Antivirus; however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware.
Make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See Manage Microsoft Defender Antivirus updates and apply baselines.Note that passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the modern, unified solution.
When disabled or uninstalled, Microsoft Defender Antivirus isn't used as the antivirus app. Files aren't scanned and threats aren't remediated. Disabling or uninstalling Microsoft Defender Antivirus isn't recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you're using a non-Microsoft antimalware/antivirus solution.
In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires, is uninstalled, or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.
Comprehensive device management helps control and block confidential data copied to USBs, flash drives, CD/DVDs, Apple iPods, and other removable storage devices. Device parameters such as product ID, vendor ID, serial number, device class, and device name can be specified and categorized. Furthermore, different policies, such as block or encrypt, can be enforced based on the content loaded onto the devices.
COMBO: A signatureless encryption protection technology that kills and stops any ransomware encryption outbreaks, universally compatible with any antivirus but achieving what traditional antivirus is uncapable of. 2b1af7f3a8