“The only security features you can apply using SSL certificate inspection mode are web filtering and application control... certificate inspection does not allow FortiGate to inspect the flow of encrypted data.”

“For antivirus or IPS control, you should use a deep-inspection profile.”

“Within the full SSL inspection profile, you can also specify which SSL sites, if any, you want to exempt from SSL inspection.”

Technical Deep Dive:

The correct answers are A and B .

A is correct because if the firewall policy uses certificate inspection , FortiGate can inspect certificate/SNI metadata only. It cannot decrypt the HTTPS payload, so the antivirus engine never sees the EICAR file contents. That means HTTPS malware scanning fails even though HTTP scanning works.

B is also correct because if the destination site is exempt from SSL inspection , FortiGate intentionally skips decryption for that HTTPS session. Again, no payload decryption means no antivirus content scan.

Why the others are wrong:

C is not the likely reason here, especially for EICAR, which is a very small test file.

D would usually cause browser certificate warnings or connection issues during deep inspection, not a clean download that bypasses AV inspection.

Operationally, HTTPS antivirus requires this chain to be true:

firewall policy match → SSL deep inspection active → site not exempted → AV profile applied .

If either certificate-inspection is used or the site is exempted, FortiGate cannot inspect the encrypted file body.