Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

On-Device Antivirus Scan Engine

 

The on-device antivirus scan engine, scans the data by accessing the virus pattern database. It provides a full file-based anitvirus scanning function that is available through a separately licensed subscription service. When your antivirus license key expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, then antivirus scanning is also disabled.

SRX Series On-Device Antivirus Scan Engine Overview

The antivirus module in the unified threat management (UTM) solution consists of a virus pattern database, an application proxy, a scan manager, and a configurable scan engine. The antivirus module on the SRX Series device scans specific application layer traffic to protect the user from virus attacks and to prevent viruses from spreading.

Starting in Junos OS Release 18.4R1, SRX Series devices support an on-device antivirus scanning engine. The scan engine, Avira, scans the data by accessing the virus pattern database. It provides a full file-based anitvirus scanning function that is available through a separately licensed subscription service. When your antivirus license key expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, then antivirus scanning is also disabled.

You can download and install the antivirus scan engine on your SRX Series device either manually (using a flash memory device and the request security utm anti-virus avira-engine command) or by using the Internet to connect to a Juniper Networks-hosted URL or a user-hosted URL.

The virus pattern database is located at https://update.juniper-updates.net/avira. By default, the pattern updates are downloaded through the SRX Series devices.

Use the set security utm default-configuration anti-virus type avira-engine command to enable the antivirus scan engine. If the antivirus scan engine is not available on the device and cannot be downloaded from the predefined URL (https://update.juniper-updates.net/avira), then use the local user URL to locate the database files: set security utm default-configuration anti-virus avira-engine pattern-update url url. This command downloads the pattern and engine files from the user-hosted URL. After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.

The antivirus engine on the SRX Series device does not scan the application traffic and follows fallback logic under the following circumstances:

  • The scan engine is not ready.

  • There are too many scanning request.

  • The file size is larger than a configured limit.

  • The compress level is too deep for compressed or archive files.

  • The memory file system is full.

Benefits

  • Minimizes processing delays because the pattern database is locally stored and the scan engine is on-device.

  • Secures your data and provides up-to-date antivirus software that protects your system from viruses, trojans, rootkits, and other types of malicious code. With this new scan engine, you can scan the application traffic locally without connecting to the Internet server to query whether the application traffic has virus.

Example: Configuring On-Device Antivirus Feature Profile

This example shows you how to configure a Avira antivirus profile that defines the parameters that will be used for virus scanning.

Requirements

Before you begin:

Overview

In this example, you configure a custom Avira profile. Configure MIME lists. This includes creating a MIME whitelist and a MIME exception list for antivirus scanning.

The following configuration defines Avira as the antivirus engine and sets parameters, such as the data file update interval, notification options for administrators, fallback options, and file size limits.

  • Select the anti-virus type. In this case, select avira-engine. Select a time interval for updating the data files

  • Configure the network device with the proxy server details

  • Enable an e-mail notification with a custom message as pattern file was updated and a custom subject line as AV pattern file updated.

  • Configure the notification options for fallback blocking for virus detection. Configure a custom message with a custom subject line.

  • Configure a list of fallback options as block, log and permit, or permit.

  • Configure notification options for fallback blocking, fallback nonblocking actions, and virus detection.

  • Configure content size parameters as 20000. The content size check occurs before the scan request is sent. The content size refers to accumulated TCP payload size.

  • Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.

  • Configure the antivirus module to use URL bypass lists. You can configure URL whitelists or blacklists for the URL lookups. A blacklist or a whitelist action type is a user-defined category in which all the URLs or IP addresses are always blocked or permitted and optionally logged. If the URL is in the user-configured blacklist, the device blocks the URL. If the URL is in the user-configured whitelist, the device permits the URL.

  • Configure a UTM policy and apply the feature profile to the UTM policy, and finally attach the UTM policies to the security policies to which you can attach the feature profile.

Configuration

This example shows how to create a custom Avira profile, feature profiles and security policies.

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure the on-device antivirus feature profile using the CLI:

The following example shows you how to download the Avira scan engine if it is not available on the device and how to create a custom Avira profile. If you want to use the Juniper Networks preconfigured profile, use the profile named junos-av-defaults in your UTM policy.

  1. Select and configure the engine type. Because you are configuring Avira antivirus, you configure avira-engine. Note

    After configuring the antivirus type to Avira, reboot the system for the new Avira scan engine to take effect.

  2. (Optional) Configure the downloading Avira scan engine URL. In most circumstances, you will not need to change the URL to update the pattern database. If you do need to change this option for customer hosted url , use the following command:
  3. Select a time interval for updating the data files. The default antivirus pattern-update interval is 1440 minutes (every 24 hours). You can choose to leave this default, or you can change it. You can also force a manual update, if needed. To change the default from every 24 hours to every 48 hours:
  4. (Optional) Configure the network device with the proxy server details, to download the pattern update from a remote server:
  5. You can configure the device to notify a specified administrator when data files are updated. This is an e-mail notification with a custom message and a custom subject line.
  6. (Optional) You can configure on-box Antivirus (AV) to ’heavy’ mode. The box enters ’light’ mode If the below CLI command is deleted, and on-box AV is enabled.

    In order to improve the throughput of low scan cost file such as doc file and big exe file, the on-box AV load flavor light ratio is changed from 1/3 to 1/4, and the onbox AV load flavor heavy ratio is changed from 2/3 to 1/2.

    Note

    If on-box AV is enabled, or the CLI set chassis onbox-av-load-flavor heavy command is added or removed, then the system requests a reboot on SRX device.

  7. Configure a list of fallback options as block, log and permit, or permit. The default setting is log-and-permit. You can use the default settings, or you can change them.

    Configure the content size action. In this example, if the content size is exceeded, the action taken is block.

    First create the profile named prof1.

    Configure the content size fallback-option to block.

    Configure the default fallback option to log-and-permit.

    Configure log-and-permit if the antivirus engine is not ready.

    Configure log-and-permit if the device is out of resources.

    Configure log-and-permit if a virus scan timeout occurs.

    Configure log-and-permit if there are too many requests for the virus engine to handle.

  8. Configure notification options. You can configure notifications for fallback blocking, fallback nonblocking actions, and virus detection.

    In this step, configure a custom message for the fallback blocking action and send a notification for protocol-only actions to the administrator and the sender.

  9. Configure content size parameters.

    When you configure the content-size value, keep in mind that in certain cases, content size is available in the protocol headers, so the max-content-size fallback is applied before a scan request is sent. However, in many cases, content size is not provided in the protocol headers. In these cases, the TCP payload is sent to the antivirus scanner and accumulates until the end of the payload. If the accumulated payload exceeds the maximum content size value, then max-content-size fallback is applied. The default fallback action is log and permit, so you may want to change this option to block, in which case such a packet is dropped and a block message is sent to the client.

    In this example, if the content size exceeds 20 MB, the packet is dropped.

  10. Configure the timeout setting for the scanning operation to 1800 seconds.
  11. Configure the trickling setting to 180 seconds. If you use trickling, you can also set timeout parameters. Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.

    When you enable the trickling option, keep in mind that trickling might send part of a file to the client during its antivirus scan. It is therefore possible that some of the content could be received by the client before the file has been fully scanned.

  12. Configure the antivirus module to use MIME bypass lists and exception lists. You can use your own custom object lists, or you can use the default list that ships with the device called junos-default-bypass-mime.
  13. Configure the antivirus module to use URL bypass lists. If you are using a URL whitelist, this is a custom URL category you have previously configured as a custom object. URL whitelists are valid only for HTTP traffic. In this example you use the lists that you set up earlier.
  14. Configure a UTM policy for Avira antivirus by creating the UTM policy utmp3 and attaching it to the http-profile avira-prof1.
    Note

    You can use the default Avira feature profile settings by replacing avira-prof1 in the above statement with junos-av-defaults.

Example: Configuring Firewall Security Policies

CLI Quick Configuration

Create a firewall security policy that will cause traffic from the untrust zone to the trust zone to be scanned by antivirus scan engine.

Step-by-Step Procedure

To configure a security policy for antivirus scan engine:

  1. Configure the untrust to trust policy to match any source-address.
  2. Configure the untrust to trust policy to match any destination-address.
  3. Configure the untrust to trust policy to match any application type.
  4. Configure the untrust to trust policy to attach the UTM policy to the security policy.

Results

From configuration mode, confirm your configuration by entering the show security utm, show services, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Obtaining Information About the Current Antivirus Status

Purpose

Action

From operational mode, enter the show security utm anti-virus status command to view the antivirus status.

Sample Output

Meaning

  • Antivirus key expire date—The license key expiration date.

  • Update server—URL for the data file update server.

    • Interval—The time period, in minutes, when the device will update the data file from the update server.

    • Pattern update status—When the data file will be updated next, displayed in minutes.

    • Last result—Result of the last update.

  • Antivirus signature version—Version of the current data file.

  • Scan engine type—The antivirus engine type that is currently running.

  • Scan engine information—Version of the scan engine.

Understanding On-Device Antivirus Decompression Layer Limits

The Decompression Layer Limit is supported from Junos OS Release 18.4R1 onwards. The decompression layer limit specifies how many layers of nested compressed files and files with internal extractable objects, such as archive files (tar), MS Word, and PowerPoint files, the internal antivirus scanner can decompress before it executes the virus scan. For example, if a message contains a compressed .zip file that contains another compressed .zip file, there are two compression layers. Decompressing both files requires a decompress layer setting of 2.

It is worth noting that during the transfer of data, some protocols use content encoding. The antivirus scan engine must decode this layer, which is considered a decompression level, before it scans for viruses.

There are three kinds of compressed data:

  • compressed file (zip, rar, gzip)

  • encoded data (MIME)

  • packaged data (OLE, .CAP, .MSI, .TAR, .EML)

A decompression layer could be a layer of a zipped file or an embedded object in packaged data. The antivirus engine scans each layer before unpacking the next layer, until it either reaches the user-configured decompress limit, reaches the device decompress layer limit, finds a virus or other malware, or decompresses the data completely, whichever comes first.

As the virus signature database becomes larger and the scan algorithms become more sophisticated, the scan engine has the ability to look deeper into the data for embedded malware. As a result, it can uncover more layers of compressed data. The Juniper Networks device's level of security is limited by decompress limit, which is based on the memory allocated to the security service. If a virus is not found within the decompress limit, the user has an option to either pass or drop the data.

Note

This setting can be used in all protocols.

Configuring On-Device Antivirus Decompression Layer Limits (CLI Procedure)

The Decompression Layer Limit is supported from Junos OS Release 18.4R1 onwards. To configure decompression layer limits, use the following CLI configuration statements:

The default value of the decompression layer limit is three.

The range for the decompression layer is 0 through 10.

Release History Table
Release
Description
Starting in Junos OS Release 18.4R1, SRX Series devices support an on-device antivirus scanning engine. The scan engine, Avira, scans the data by accessing the virus pattern database. It provides a full file-based anitvirus scanning function that is available through a separately licensed subscription service. When your antivirus license key expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, then antivirus scanning is also disabled.