On-Device Antivirus Scan Engine
The on-device antivirus scan engine, scans the data by accessing the virus pattern database. It provides a full file-based anitvirus scanning function that is available through a separately licensed subscription service. When your antivirus license key expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, then antivirus scanning is also disabled.
SRX Series On-Device Antivirus Scan Engine Overview
The antivirus module in the unified threat management (UTM) solution consists of a virus pattern database, an application proxy, a scan manager, and a configurable scan engine. The antivirus module on the SRX Series device scans specific application layer traffic to protect the user from virus attacks and to prevent viruses from spreading.
Starting in Junos OS Release 18.4R1, SRX Series devices support an on-device antivirus scanning engine. The scan engine, Avira, scans the data by accessing the virus pattern database. It provides a full file-based anitvirus scanning function that is available through a separately licensed subscription service. When your antivirus license key expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, then antivirus scanning is also disabled.
You can download and install the antivirus scan engine on your SRX Series device either manually (using a flash memory device and the request security utm anti-virus avira-engine command) or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL.
The virus pattern database is located at https://update.juniper-updates.net/avira. By default, the pattern updates are downloaded through the SRX Series devices.
Use the set security utm default-configuration anti-virus type avira-engine command to enable the antivirus scan engine. If the antivirus scan engine is not available on the device and cannot be downloaded from the predefined URL (https://update.juniper-updates.net/avira), then use the local user URL to locate the database files: set security utm default-configuration anti-virus avira-engine pattern-update url url. This command downloads the pattern and engine files from the user-hosted URL. After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.
The antivirus engine on the SRX Series device does not scan the application traffic and follows fallback logic under the following circumstances:
The scan engine is not ready.
There are too many scanning request.
The file size is larger than a configured limit.
The compress level is too deep for compressed or archive files.
The memory file system is full.
Minimizes processing delays because the pattern database is locally stored and the scan engine is on-device.
Secures your data and provides up-to-date antivirus software that protects your system from viruses, trojans, rootkits, and other types of malicious code. With this new scan engine, you can scan the application traffic locally without connecting to the Internet server to query whether the application traffic has virus.
Example: Configuring On-Device Antivirus Feature Profile
This example shows you how to configure a Avira antivirus profile that defines the parameters that will be used for virus scanning.
Before you begin:
Verify that you have a Avira antivirus license. For more information on how to verify licenses on your device, see Understanding Licenses for SRX Series Devices.
In this example, you configure a custom Avira profile. Configure
MIME lists. This includes creating a MIME whitelist and a MIME exception
list for antivirus scanning.
The following configuration defines Avira as the antivirus engine and sets parameters, such as the data file update interval, notification options for administrators, fallback options, and file size limits.
Select the anti-virus type. In this case, select avira-engine. Select a time interval for updating the data files
Configure the network device with the proxy server details
Enable an e-mail notification with a custom message as pattern file was updated and a custom subject line as AV pattern file updated.
Configure the notification options for fallback blocking for virus detection. Configure a custom message with a custom subject line.
Configure a list of fallback options as block, log and permit, or permit.
Configure notification options for fallback blocking, fallback nonblocking actions, and virus detection.
Configure content size parameters as 20000. The content size check occurs before the scan request is sent. The content size refers to accumulated TCP payload size.
Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.
Configure the antivirus module to use URL bypass lists. You can configure URL whitelists or blacklists for the URL lookups. A blacklist or a whitelist action type is a user-defined category in which all the URLs or IP addresses are always blocked or permitted and optionally logged. If the URL is in the user-configured blacklist, the device blocks the URL. If the URL is in the user-configured whitelist, the device permits the URL.
Configure a UTM policy and apply the feature profile to the UTM policy, and finally attach the UTM policies to the security policies to which you can attach the feature profile.
This example shows how to create a custom Avira profile, feature profiles and security policies.
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
To configure the on-device antivirus feature profile using the CLI:
The following example shows you how to download the Avira scan engine if it is not available on the device and how to create a custom Avira profile. If you want to use the Juniper Networks preconfigured profile, use the profile named junos-av-defaults in your UTM policy.
- Select and configure the engine type. Because you are
configuring Avira antivirus, you configure avira-engine.
After configuring the antivirus type to Avira, reboot the system for the new Avira scan engine to take effect.user@host# set security utm default-configuration anti-virus type avira-engine
- (Optional) Configure the downloading Avira scan engine
URL. In most circumstances, you will not need to change the URL to
update the pattern database. If you do need to change this option
for customer hosted url , use the following command:[edit security utm default-configuration anti-virus]user@host# set avira-engine pattern-update url <http://www.example.net/>
- Select a time interval for updating the data files. The
default antivirus pattern-update interval is 1440 minutes (every 24
hours). You can choose to leave this default, or you can change it.
You can also force a manual update, if needed. To change the default
from every 24 hours to every 48 hours:[edit security utm default-configuration anti-virus]user@host# set avira-engine pattern-update interval 2880
- (Optional) Configure the network device with the proxy
server details, to download the pattern update from a remote server:[edit security utm default-configuration anti-virus]user@host# set avira-engine pattern-update proxy-profile <proxy-profile>
- You can configure the device to notify a specified administrator
when data files are updated. This is an e-mail notification with a
custom message and a custom subject line.[edit security utm default-configuration anti-virus]user@host# set avira-engine pattern-update email-notify admin-email email@example.com custom-message “Avira antivirus data file was updated” custom-message-subject “AV data file updated”
- (Optional) You can configure on-box Antivirus (AV) to
’heavy’ mode. The box enters ’light’ mode
If the below CLI command is deleted, and on-box AV is enabled.user@host# set chassis onbox-av-load-flavor heavy
In order to improve the throughput of low scan cost file such as doc file and big exe file, the on-box AV load flavor light ratio is changed from 1/3 to 1/4, and the onbox AV load flavor heavy ratio is changed from 2/3 to 1/2.
If on-box AV is enabled, or the CLI set chassis onbox-av-load-flavor heavy command is added or removed, then the system requests a reboot on SRX device.
- Configure a list of fallback options as block, log and
permit, or permit. The default setting is log-and-permit. You can
use the default settings, or you can change them.
Configure the content size action. In this example, if the content size is exceeded, the action taken is block.
First create the profile named prof1.[edit security utm feature-profile anti-virus]user@host# set profile avira-prof1
Configure the content size fallback-option to block.[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set fallback-options content-size block
Configure the default fallback option to log-and-permit.[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set fallback-options default log-and-permit
Configure log-and-permit if the antivirus engine is not ready.[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set fallback-options engine-not-ready log-and-permit
Configure log-and-permit if the device is out of resources.[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set fallback-options out-of-resources log-and-permit
Configure log-and-permit if a virus scan timeout occurs.[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set fallback-options timeout log-and-permit
Configure log-and-permit if there are too many requests for the virus engine to handle.[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set fallback-options too-many-requests log-and-permit
- Configure notification options. You can configure notifications
for fallback blocking, fallback nonblocking actions, and virus detection.
In this step, configure a custom message for the fallback blocking action and send a notification for protocol-only actions to the administrator and the sender.[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set notification-options fallback-block custom-message “Fallback block action occurred” custom-message-subject “Antivirus Fallback Alert” notify-mail-sender type protocol-only allow email administrator-email firstname.lastname@example.org
- Configure content size parameters.
When you configure the content-size value, keep in mind that in certain cases, content size is available in the protocol headers, so the max-content-size fallback is applied before a scan request is sent. However, in many cases, content size is not provided in the protocol headers. In these cases, the TCP payload is sent to the antivirus scanner and accumulates until the end of the payload. If the accumulated payload exceeds the maximum content size value, then max-content-size fallback is applied. The default fallback action is log and permit, so you may want to change this option to block, in which case such a packet is dropped and a block message is sent to the client.
In this example, if the content size exceeds 20 MB, the packet is dropped.[edit security utm default-configuration anti-virus]user@host# set scan-options content-size-limit 20000
- Configure the timeout setting for the scanning operation
to 1800 seconds. [edit security utm default-configuration anti-virus]user@host# set scan-options timeout 1800
- Configure the trickling setting to 180 seconds. If you
use trickling, you can also set timeout parameters. Trickling applies
only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP
client or server from timing out during a file transfer or during
When you enable the trickling option, keep in mind that trickling might send part of a file to the client during its antivirus scan. It is therefore possible that some of the content could be received by the client before the file has been fully scanned.[edit security utm default-configuration anti-virus]user@host# set trickling timeout 180
- Configure the antivirus module to use MIME bypass lists
and exception lists. You can use your own custom object lists, or
you can use the default list that ships with the device called junos-default-bypass-mime. [edit security utm feature-profile anti-virus profile avira-prof1]user@host# set mime-whitelist list avmime2[edit security utm feature-profile anti-virus profile avira-prof1]user@host# set mime-whitelist list exception-avmime2
- Configure the antivirus module to use URL bypass lists.
If you are using a URL whitelist, this is a custom URL category you
have previously configured as a custom object. URL whitelists are
valid only for HTTP traffic. In this example you use the lists that
you set up earlier. [edit security utm feature-profile anti-virus profile avira-prof1]user@host# set url-whitelist custurl2
- Configure a UTM policy for Avira antivirus by creating
the UTM policy utmp3 and attaching it to the http-profile avira-prof1.[edit security utm]user@host# set utm-policy utmp3 anti-virus http-profile avira-prof1
You can use the default Avira feature profile settings by replacing avira-prof1 in the above statement with junos-av-defaults.
Example: Configuring Firewall Security Policies
CLI Quick Configuration
Create a firewall security policy that will cause traffic from the untrust zone to the trust zone to be scanned by antivirus scan engine.
To configure a security policy for antivirus scan engine:
- Configure the untrust to trust policy to match any source-address.[edit security]user@host# set policies from-zone untrust to-zone trust policy p3 match source-address any
- Configure the untrust to trust policy to match any destination-address.[edit security]user@host# set policies from-zone untrust to-zone trust policy p3 match destination-address any
- Configure the untrust to trust policy to match any application
type.[edit security]user@host# set policies from-zone untrust to-zone trust policy p3 match application any
- Configure the untrust to trust policy to attach the UTM
policy to the security policy.[edit security]user@host# set policies from-zone untrust to-zone trust policy p3 then permit application-services utm-policy utmp3
From configuration mode, confirm your configuration by entering the show security utm, show services, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Obtaining Information About the Current Antivirus Status
From operational mode, enter the show security utm anti-virus status command to view the antivirus status.
UTM anti-virus status: Update server: https://update.example-juniper.net/avira Interval: 360 minutes Pattern update status: next update in 236 minutes Last result: Downloading certs failed Scan engine type: avira-engine Scan engine information: 220.127.116.11 Anti-virus signature version: 18.104.22.168 Onbox AV load flavor: running heavy, configure heavy
Antivirus key expire date—The license key expiration date.
Update server—URL for the data file update server.
Interval—The time period, in minutes, when the device will update the data file from the update server.
Pattern update status—When the data file will be updated next, displayed in minutes.
Last result—Result of the last update.
Antivirus signature version—Version of the current data file.
Scan engine type—The antivirus engine type that is currently running.
Scan engine information—Version of the scan engine.
Understanding On-Device Antivirus Decompression Layer Limits
The Decompression Layer Limit is supported from Junos OS Release 18.4R1 onwards. The decompression layer limit specifies how many layers of nested compressed files and files with internal extractable objects, such as archive files (tar), MS Word, and PowerPoint files, the internal antivirus scanner can decompress before it executes the virus scan. For example, if a message contains a compressed .zip file that contains another compressed .zip file, there are two compression layers. Decompressing both files requires a decompress layer setting of 2.
It is worth noting that during the transfer of data, some protocols use content encoding. The antivirus scan engine must decode this layer, which is considered a decompression level, before it scans for viruses.
There are three kinds of compressed data:
compressed file (zip, rar, gzip)
encoded data (MIME)
packaged data (OLE, .CAP, .MSI, .TAR, .EML)
A decompression layer could be a layer of a zipped file or an embedded object in packaged data. The antivirus engine scans each layer before unpacking the next layer, until it either reaches the user-configured decompress limit, reaches the device decompress layer limit, finds a virus or other malware, or decompresses the data completely, whichever comes first.
As the virus signature database becomes larger and the scan algorithms become more sophisticated, the scan engine has the ability to look deeper into the data for embedded malware. As a result, it can uncover more layers of compressed data. The Juniper Networks device's level of security is limited by decompress limit, which is based on the memory allocated to the security service. If a virus is not found within the decompress limit, the user has an option to either pass or drop the data.
This setting can be used in all protocols.
Configuring On-Device Antivirus Decompression Layer Limits (CLI Procedure)
The Decompression Layer Limit is supported from Junos OS Release 18.4R1 onwards. To configure decompression layer limits, use the following CLI configuration statements:
The default value of the decompression layer limit is three.
The range for the decompression layer is 0 through 10.