 |
Note: Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for MIME encoded traffic, mail protocols (SMTP, POP3, IMAP) and HTTP POST. |
The full file-based antivirus module is the software subsystem on the gateway device that scans specific Application Layer traffic to protect users from virus attacks and to prevent viruses from spreading. The antivirus software subsystem consists of a virus signature database, an application proxy, the scan manager, and the scan engine.
Kaspersky Lab provides the scan engine and it works in the following manner. A client establishes a TCP connection with a server and then starts a transaction. If the application protocol in question is marked for antivirus scanning, the traffic is forwarded to an application proxy for parsing. When the scan request is sent, the scan engine scans the data by querying a virus pattern database. The scan manager monitors antivirus scanning sessions, checking the properties of the data content against the existing antivirus settings. After scanning has occurred, the result is then handled by the scan manager.
The following topics provide information on the scan engine and various configurable scanning options:
This chapter contains the following topics:
The Kaspersky Lab scan engine supports two types of file scanning.
The Kaspersky Lab scan engine supports two modes of scanning.
You can turn antivirus scanning on and off on a per protocol basis. If scanning for a protocol is disabled in an antivirus profile, there is no application intelligence for this protocol. Therefore, in most cases, traffic using this protocol is not scanned. But if the protocol in question is based on another protocol for which scanning is enabled in an antivirus profile, then the traffic is scanned as that enabled protocol.
When scanning content, you can use a file extension list to define a set of file extensions that are used in file extension scan mode (scan-by-extension). The antivirus module can then scan files with extensions on the scan-extension list. If an extension is not defined in an extension list, the file with that extension is not scanned in scan-by-extension mode. If there is no extension present, the file in question is scanned.
There are some requirements to note when using a file extension list to scan content.
- edit security utm {
-
- custom-objects {
-
- filename-extension { ; set of list
-
- name <extension-list-name>; #mandatory
- value <windows-extension-string>;
- }
- }
- }
- edit security utm feature-profile anti-virus kaspersky-lab-engine
profile <name> {
-
- scan-options {
-
- scan-extension <ext-list>
- }
- }
By default, intelligent prescreening is enabled to improve antivirus scanning performance. The antivirus module generally begins to scan data after the gateway device has received all the packets of a file. Intelligent prescreening tells the antivirus module to begin scanning a file much earlier. In this case, the scan engine uses the first packet or the first several packets to determine if a file could possibly contain malicious code. The scan engine does a quick check on these first packets and if it finds that it is unlikely that the file is infected, it then decides that it is safe to bypass the normal scanning procedure.
|
Note: Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for MIME encoded traffic, mail protocols (SMTP, POP3, IMAP) and HTTP POST. |
The full file-based antivirus protection signature database is called the Juniper Full antivirus database (downloaded by the pattern-update command). This database is different from the database used by express antivirus. It detects all destructive malicious code, including viruses (polymorphic and other advanced virus types), worms, Trojans, and malware.
Due to resource constraints, there is a default, device-dependent limit on maximum content size for the database. The content size value is configurable. There is also a lower and upper limit for maximum content size. (This range is device dependent and is not configurable.)
The content size check occurs before the scan request is sent. The exact timing of this is protocol dependent. If the protocol header contains an accurate content length field, the content size check takes place when the content length field is extracted during header parsing. The content size usually refers to file size. If there is no content length field, the size is checked while the antivirus module is receiving packets. The content size, in this case, refers to accumulated TCP payload size.
|
Note: This setting can be used in all protocols. |
- edit security utm feature-profile anti-virus kaspersky-lab-engine
profile <name> {
-
- scan-options {
-
- content-size-limit <KB>;
- }
- }
The decompression layer limit specifies how many layers of nested compressed files and files with internal extractable objects, such as archive files (tar), MS Word and PowerPoint files, the internal antivirus scanner can decompress before it executes the virus scan. For example, if a message contains a compressed .zip file that contains another compressed .zip file, there are two compression layers. Decompressing both files requires a decompress layer setting of 2.
It is worth noting that during the transfer of data, some protocols use content encoding. The antivirus scan engine must decode this layer, which is considered a decompression level, before it scans for viruses.
There are three kinds of compressed data:
A Decompression Layer could be a layer of a zipped file or an embedded object in packaged data. The antivirus engine scans each layer before unpacking the next layer, until it either reaches the user-configured decompress limit, reaches the device decompress layer limit, finds a virus or other malware, or decompresses the data completely, whichever comes first.
As the virus signature database becomes larger and the scan algorithms become more sophisticated, the scan engine has the ability to look deeper into the data for embedded malware. As a result, it can uncover more layers of compressed data. The Juniper device's level of security is limited by decompress limit, which is based on the memory allocated to the security service. If a virus is not found within the decompress limit, the user has an option to either pass or drop the data.
|
Note: This setting can be used in all protocols. |
- edit security utm feature-profile anti-virus kaspersky-lab-engine
profile <name> {
-
- scan-options {
-
- decompress-layer-limit <num>
- }
- }
The scanning timeout value includes the time frame from when the scan request is generated to when the scan result is returned by the scan engine. The time range can be 1 to 1800 seconds. By default, it is 180 seconds.
|
Note: This timeout parameter is used by all supported protocols. Each protocol can have a different timeout value. |
- edit security utm feature-profile anti-virus kaspersky-lab-engine
profile <name> {
-
- scan-options {
-
- timeout-value <sec> {
- }
- }
- }
The antivirus module allows you to configure scanning options on a global level, on a UTM profile level, or on a firewall policy level. Each configuration level has the following implications:
The majority of antivirus settings are configured within an antivirus profile, bound to specified protocols, and used by designated policies. These UTM policies are then applied to the traffic according to firewall policies. If a firewall policy with an antivirus setting matches the properties of a traffic flow, the antivirus setting is applied to the traffic session. Therefore, you can apply different antivirus settings for different protocols and for different traffic sessions.
Global settings are general overall configurations for the antivirus module or settings that are not specific for profiles.
Global antivirus setting CLI example:
- edit security utm feature-profile anti-virus kaspersky-lab-engine
Profile-based antivirus setting CLI example:
- edit security utm feature-profile anti-virus kaspersky-lab-engine
profile <name>
The following is an example of different antivirus settings applied to different protocols configured as profiles within a designated UTM policy:
- edit security utm
-
- utm-policy <name> {
-
- anti-virus {
- http-profile <av profile>
-
- ftp {
- upload-profile <av profile>
- download-profile <av profile>
- }
- smtp-profile <av profile>
- pop3-profile <av profile>
- imap-profile <av profile>
- }
- }
In an attempt to consume all available resources and hinder the ability of the scan engine to scan other traffic, a malicious user might generate a large amount of traffic all at once. To prevent such activity from succeeding, a session throttle is imposed for antivirus resources , thereby restricting the amount of traffic a single source can consume at one time. The limit is an integer with 100 as the default setting. This integer refers to the maximum allowed sessions from a single source. You may change this default limit, but understand that if this limit is set high, that is comparable to no limit.
Over-limit is a fallback setting for the connection-per-client limit. The default behavior of over-limit is to block sessions. This is a per-policy setting. You can specify different settings for different UTM policies.
- edit security utm utm-policy <name>
-
- traffic-options {
- sessions-per-client {
-
- limit <number>;
- over-limit { log-and-permit | block}
- }
- }
