Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configure Avira Antivirus

 

In this example, you’ll learn how to configure Avira antivirus on your security device. This topic includes the details about using default antivirus profile and customized antivirus profile to secure your device from the harmful content such as infected files, trojans, worms, spyware, and other malicious data.

Requirements

Before you begin:

We’ve tested this example using an SRX1500 device with Junos OS Release 18.4R1.

Overview

Let’s take a look at a typical enterprise network. An end user unknowingly visits a compromised Website and downloads a malicious content. This action results in compromise of the endpoint. The harmful content on the endpoint also becomes a threat to other hosts within the network. It is important to prevent the download of the malicious content.

You can use an SRX Series device with Avira antivirus to protect users from virus attacks and to prevent spreading of viruses in your system, Avira antivirus scans network traffic for viruses, trojans, rootkits, and other types of malicious code and blocks the malicious content immediately when detected.

Figure 1 shows an example of Avira antivirus on SRX Series device usage.

Figure 1: Avira Antivirus on SRX Series
Avira Antivirus on SRX Series

In this example, you’ll learn how to configure Avira antivirus on your security device. You have the following options.

Configuration

Use Default Antivirus Profile to Start Antivirus Scanning

You can enable the Juniper Networks pre-configured antivirus profile. When you use the default antivirus feature profile option, you don’t have to configure additional parameter. In this procedure, you create an UTM policy with default antivirus profiles for all protocols and apply the UTM policy in a security policy for the permitted traffic.

Step-by-Step Procedure

To use default antivirus profile, complete the following steps:

  1. Enable Avira antivirus scan on your security device.

    After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.

  2. Select default antivirus profile for HTTP, FTP, SMTP, POP3, and IMAP protocols.
  3. Apply the UTM policy to the security policy.
  4. Commit the configuration.

You can also watch the video Avira Antivirus Solution on SRX Series Devices to understand about installing and using Avira antivirus on your security device.

Configure Avira Antivirus Scanning Options

Step-by-Step Procedure

In this procedure, you’ll perform optional steps to prepare your security device to use Avira antivirus.

  1. Manually update the virus signature database, specify the URL of the database server. If you do not specify a URL, a default URL is provided, https://update.juniper-updates.net/avira. By default, your security device downloads the pattern updates from https://update.juniper-updates.net/avira. The location of virus pattern database depends on your SRX Series mode. See Unresolved xref for more details.

    This step downloads the pattern and engine files from the specified URL.

  2. Set an interval for regular download of antivirus pattern update.

    In this step, you are changing the default from every 24 hours to every 48 hours. The default antivirus pattern-update interval is 1440 minutes (every 24 hours).

  3. Send an e-mail notification once pattern update completes.
  4. (Optional) Configure pattern update from an proxy profile.

    Use this option in case your internal network device do not have direct access to the Internet and the device can reach the Internet only through a proxy server.

  5. (Optional) Configure on-box antivirus to heavy mode.

    This step allocates additional resources for improved performance.

    To use the antivirus scan in light mode, use the delete chassis onbox-av-load-flavor heavy command. Reboot the device once you change the modes.

  6. (Optional) Change the operating mode from the default continuous delivery function (CDF) to hold mode. When you change to hold mode, the system withhold all the packets until you get the final result.

    For more details on CDF mode and Inline Tap mode, see forwarding-mode.

Configure Avira Antivirus Scanning with Custom Profile

You must complete the steps as in Table 1 to configure Avira antivirus with custom options on your security device.

Table 1: Steps for Avira Antivirus Scanning Using Custom Profile

Step

Details

Step 1: Define custom objects

In this step, you will define antivirus scanning options:

  • MIME allowlist—Include type of traffic that you want to bypass antivirus scanning

  • MIME exception list—Specify excluding some MIME types from the MIME allowlist

  • Custom URL categories—Define URLs that you want to bypass antivirus scanning.

Alternatively, you can use the default list junos-default-bypass-mime.

Step 2: Create antivirus feature profile

  • Apply MIME list, exception list, and custom URL category created in step 1 to the antivirus feature profile.

  • Configure antivirus scanning settings such as data file update interval, notification options for administrators, fallback options, and file size limits.

Step 3: Create UTM policy

Associate the antivirus profile created in Step 2 for FTP, HTTP, POP3, SMTP, and IMAP traffic. UTM policies control which protocol traffic is sent to the antivirus scanning engine.

Step 4: Apply UTM policy to a security policy

Specify UTM policy as application services in the security policy. The UTM antivirus settings are applied for the traffic that matches the security policy rules.

See scan-options and trickling to understand about the scanning configuration parameters available for antivirus feature.

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Note

The [edit security utm feature-profile] hierarchy level is deprecated in Junos OS Release 18.2R1. For more information, see UTM Overview.

Step-by-Step Procedure

To configure the on-device antivirus feature profile using the CLI:

  1. Enable Avira antivirus scan on your security device if you have not already enabled..

    After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.

  2. Create custom objects.
  3. Create the antivirus profile.
  4. Configure a list of fallback options.

    Fallback options specify the actions to take when traffic cannot be scanned.

  5. Configure notification options for fallback blocking actions.
  6. Configure the antivirus module to use MIME bypass lists and exception lists.
  7. Configure the antivirus module to use URL bypass lists. URL allowlists are valid only for HTTP traffic. In this example you use the lists that you set up earlier.
  8. Configure a UTM policy attach the antivirus feature profile Avira-AV-Profile.
  9. Configure a security policy and apply the UTM policy UTM-AV-Policy as application services for the permitted traffic.

Results

From configuration mode, confirm your configuration by entering the show security utm, show services, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To verify the configuration is working properly, use the following steps:

Obtaining Information About the Current Antivirus Status

Purpose

Action

From operational mode, enter the show security utm anti-virus status command to view the antivirus status.

Sample Output

user@host>show security utm anti-virus status

Meaning

  • Antivirus key expire date—The license key expiration date.

  • Update server—URL for the data file update server.

    • Interval—The time period, in minutes, when the device will update the data file from the update server.

    • Pattern update status—When the data file will be updated next, displayed in minutes.

    • Last result—Result of the last update.

  • Antivirus signature version—Version of the current data file.

  • Scan engine type—The antivirus engine type that is currently running.

  • Scan engine information—Version of the scan engine.

Validate Avira Antivirus on Your Security Device

Purpose

Validate whether Avira Antivirus Solution is working on SRX Series Device

Action

Use the safe way of testing the antivirus capability using Eicar.org website. Your security device displays an error message as shown when you try to download an unsafe file.

Figure 2: Validating Antivirus Solution
Validating Antivirus Solution

Meaning

The message indicates that your security device has blocked a malicious content.