Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Sophos Antivirus Protection

 

The Sophos antivirus scanner uses a local internal cache to maintain query responses from the external list server to improve lookup performance. The Sophos antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. For more information, see the following topics:

Sophos Antivirus Protection Overview

Sophos antivirus is as an in-the-cloud antivirus solution. The virus pattern and malware database is located on external servers maintained by Sophos (Sophos Extensible List) servers, thus there is no need to download and maintain large pattern databases on the Juniper device. The Sophos antivirus scanner also uses a local internal cache to maintain query responses from the external list server to improve lookup performance.

Because a significant amount of traffic processed by Juniper Unified Threat Management (UTM) is HTTP based, Uniform Resource Identifier (URI) checking is used to effectively prevent malicious content from reaching the endpoint client or server. The following checks are performed for HTTP traffic: URI lookup, true file type detection, and file checksum lookup. The following application layer protocols are supported: HTTP, FTP, SMTP, POP3 and IMAP.

The full file-based antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, sophos antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. Sophos supports the same protocols as full antivirus and functions in much the same manner; however, it has a smaller memory footprint and is compatible with lower end devices that have less memory.

Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, HTTPS, FTP, SMTP, POP3, IMAP protocols is supported for Sophos antivirus, Web filtering and Content filtering security features of UTM.

Starting with Junos OS Release 12.3X48-D35 and Junos OS Release 17.3R1, the UTM Sophos antivirus (SAV) single session throughput is increased for optimizing tcp-proxy forwarding.

Starting from Junos OS Release 19.4R1, the antivirus feature supports implicit and explicit SMTPS, IMAPS, and POP3S protocol, and supports only explicit passive mode FTPS.

Implicit mode—Connect to SSL/TLS encrypted port using secure channel.

Explicit mode—First connect to unsecured channel, then secure the communication by issuing STARTTLS command. For POP3S, use STLS command.

Sophos Antivirus Features

Sophos antivirus has the following main features:

  • Sophos antivirus expanded MIME decoding support—Sophos antivirus offers decoding support for HTTP, POP3, SMTP, and IMAP. MIME decoding support includes the following for each supported protocol:

    • Multipart and nested header decoding

    • Base64 decoding, printed quote decoding, and encoded word decoding in the subject field

  • Sophos antivirus supports HTTPS trafficStarting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Sophos antivirus over SSL forward proxy supports HTTPS traffic. Sophos antivirus over SSL forward proxy does so by intercepting HTTPS traffic passing through the SRX Series device. The security channel from the SRX Series device is divided as one SSL channel between the client and the SRX Series device and another SSL channel between the SRX Series device and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to UTM. UTM extracts the URL and the file checksum information from cleartext traffic. The Sophos antivirus scanner determines whether to block or permit the requests.

    SSL forward proxy does not support client authentication. If client authentication is required by the server, UTM bypasses the traffic. UTM bypasses the HTTPS traffic under the following conditions:

    • If SSL proxy does not parse the first handshake packet from the client, SSL forward proxy bypasses the traffic.

    • If the SSL proxy handshake with the client and server is incomplete because of compatibility issues, connection drops.

    • If the system resource is low, SSL forward proxy cannot handle the new connection and Sophos antivirus bypasses the traffic.

    • If HTTPS traffic hits the allowlist of SSL forward proxy, SSL forward proxy and Sophos antivirus bypass the traffic.

  • Sophos antivirus scan result handling—With Sophos antivirus, the TCP, traffic is closed gracefully when a virus is found and the data content is dropped.

    The following fail mode options are supported: content-size, default, engine-not-ready, out-of-resource, timeout, and too-many-requests. You can set the following actions: block, log-and-permit, and permit. Fail mode handling of supported options with Sophos is much the same as with full antivirus.

  • Sophos Uniform Resource Identifier checking—Sophos provides Uniform Resource Identifier (URI) checking, which is similar to antispam realtime blackhole list (RBL) lookups. URI checking is a way of analyzing URI content in HTTP traffic against the Sophos database to identify malware or malicious content. Because malware is predominantly static, a checksum mechanism is used to identify malware to improve performance. Files that are capable of using a checksum include .exe, .zip, .rar, .swf, .pdf, and .ole2 (doc and xls).

    If you have a Juniper Networks device protecting an internal network that has no HTTP traffic, or has webservers that are not accessible to the outside world, you might want to turn off URI checking. If the webservers are not accessible to the outside world, it is unlikely that they contain URI information that is in the Sophos URI database. URI checking is on by default.

    Starting from Junos OS Release 18.4R1 onwards, the URI checking is off by default.

Understanding Sophos Antivirus Data File Update

Sophos antivirus uses a small set of data files that need to be updated periodically. These data files only contain information on guiding scanning logic and do not contain the full pattern database. The main pattern database, which includes protection against critical viruses, URI checks, malware, worms, Trojans, and spyware, is located on remote Sophos Extensible List servers maintained by Sophos.

The Sophos data files are updated over HTTP or HTTPS and can be updated manually or scheduled to update automatically. With Sophos antivirus:

  • The signature database auto-update interval is once a day by default. This interval can be changed.

  • There is no interruption in virus scanning capability during the data file update. If the update fails, the existing data files will continue to be used.

  • By default, the URL for Sophos antivirus data file update is http://update.juniper-updates.net/SAV/.

Note

The Sophos antivirus scanning feature is a separately licensed subscription service. When your antivirus license key expires, functionality will no longer work because the pattern lookup database is located on remote Sophos servers. You have a 30-day grace period in which to update your license.

Comparison of Sophos Antivirus to Kaspersky Antivirus

The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1x49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, Sophos Antivirus is much like Juniper Express Antivirus and also has similarities to the Full Antivirus feature:

  • Unlike the Juniper Express and Full Antivirus solutions, the antivirus and malware database for Sophos is stored on a group of remote Sophos Extensible List servers. Queries are performed using the DNS protocol. Sophos maintains these servers, so there is no need to download and maintain large pattern databases on the Juniper device. Because the database is remote, and there is a quicker response to new virus outbreaks. The Antivirus database has no size limitation, but there is a limitation with the scan file size.

    Note

    Sophos antivirus uses a set of data files that need to be updated on a regular basis. These are not typical virus pattern files; they are a set of small files that help guide virus scanning logic. You can manually download the data files or set up automatic download.

  • Sophos does not provide the same prescreening detection as Kaspersky Antivirus. Sophos does provide a similar solution that is part of the Sophos engine and cannot be turned on and off.

  • The Sophos antivirus scanning feature is a separately licensed subscription service. Also, the pattern lookup database is located on remote servers maintained by Sophos, so when your antivirus license key expires, functionality will no longer work. You have a 30-day grace period in which to update your license.

Sophos Antivirus Configuration Overview

Sophos antivirus is part of the Unified Threat Management (UTM) feature set, so you first configure UTM options (custom objects), configure the Sophos Feature, then create a UTM policy and a security policy. The security policy controls all traffic that is forwarded by the device, and the UTM policy specifies which parameters to use to scan traffic. The UTM policy is also used to bind a set of protocols to one or more UTM feature profiles, including Sophos antivirus in this case.

You must complete the following tasks to configure Sophos antivirus:

  1. Configure UTM custom objects and MIME lists. See Example: Configuring Sophos Antivirus Custom Objects,
  2. Configure the Sophos antivirus feature profile. See Example: Configuring Sophos Antivirus Feature Profile.
  3. Configure a UTM policy. See Example: Configuring Sophos Antivirus UTM Policies
  4. Configure a security policy. See Example: Configuring Sophos Antivirus Firewall Security Policies.

Example: Configuring Sophos Antivirus Custom Objects

This example shows you how to create UTM global custom objects to be used with Sophos antivirus.

Requirements

Before you begin, read about UTM custom objects. See UTM Overview.

Overview

Configure MIME lists. This includes creating a MIME allowlist and a MIME exception list for antivirus scanning. In this example, you bypass scanning of QuickTime videos, unless if they contain the MIME type quicktime-inappropriate.

Configuration

GUI Step-by-Step Procedure

To configure a MIME list:

  1. Click the Configure tab from the taskbar, and then select Security>UTM>Custom Objects.
  2. Click the MIME Pattern List tab and then click Add.
  3. In the MIME Pattern Name box, type avmime2.
  4. In the MIME Pattern Value box, type video/quicktime, and click Add.
  5. In the MIME Pattern Value box, type image/x-portable-anympa, and click Add.
  6. In the MIME Pattern Value box, type x-world/x-vrml, and click Add.

To configure a MIME exception list:

  1. Click the Configure tab from the taskbar, and then select Security>UTM>Custom Objects.
  2. Click the MIME Pattern List tab and then select Add.
  3. In the MIME Pattern Name box, type exception-avmime2.
  4. In the MIME Pattern Value box, type video/quicktime-inappropriate and click Add.

Configure a URL pattern list (allowlist) of URLs or addresses that will be bypassed by antivirus scanning. After you create the URL pattern list, you will create a custom URL category list and add the pattern list to it.

Note

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category lists.

To configure a URL pattern allowlist:

  1. Click the Configure tab from the taskbar, and then select Security>UTM>Custom Objects.
  2. Click the URL Pattern List tab, and then click Add.
  3. In the URL Pattern Name box, enter urlist2.
  4. In the URL Pattern Value box, enter http://example.net. (You can also us the IP address of the server instead of the URL.)

Save your configuration:

  1. Click OK to check your configuration and save it as a candidate configuration.
  2. If you are done configuring the device, click Actions>Commit.
Note

URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can use “*” only if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

The following wildcard syntax is supported: http://*.example.net, http://www.example.ne?, http://www.example.n??. The following wildcard syntax is not supported: *.example.net , www.example.ne?, http://*example.net, http://*.

Step-by-Step Procedure

To configure antivirus protection using the CLI, you must create your custom objects in the following order:

  1. Create the MIME allowlist.

    Create the MIME exception list.

  2. Configure a URL pattern list (allowlist) of URLs or addresses that you want to bypass. After you create the URL pattern list, you create a custom URL category list and add the pattern list to it. Configure a URL pattern list custom object by creating the list name and adding values to it as follows. As you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category lists.
    Note

    URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can only use “*” if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

    The following wildcard syntax is supported: http://*.example.net, http://www.example.ne?, http://www.example.n??. The following wildcard syntax is not supported: *.example.net , www.example.ne?, http://*example.net, http://*.

  3. Configure a custom URL category list custom object by using the URL pattern list urllist2 that you created earlier:

Verification

To verify the configuration, enter the show security utm custom-objects command.

Example: Configuring Sophos Antivirus Feature Profile

This example shows you how to configure a Sophos antivirus profile that defines the parameters that will be used for virus scanning.

Requirements

Before you begin:

Overview

The following configuration defines Sophos as the antivirus engine and sets parameters, such as the data file update interval, notification options for administrators, fallback options, and file size limits.

Note

The [edit security utm feature-profile] hierarchy level is deprecated in Junos OS Release 18.2R1. For more information, see UTM Overview.

Configuration

GUI Step-by-Step Procedure

The following example shows you how to create a custom Sophos profile. If you want to use the Juniper Networks preconfigured profile, use the profile named junos-sophos-av-defaults in your UTM policy. See Example: Configuring Sophos Antivirus UTM Policies.

  1. Select and configure the engine type. Because you are configuring Sophos antivirus, you configure sophos-engine:
    1. Click the Configure tab from the taskbar, and then select Security>UTM>Anti-Virus.
    2. Click the Global Options tab and then click Sophos.
    3. Click OK and commit your changes.
  2. Return to the antivirus Global Options screen as you did in step 1, and set the following parameters:
    1. In the MIME allowlist list, select exception-avmime2.
    2. In the URL allowlist list, select custurl2.
    3. In the Pattern update interval (sec) box, type 2880.
    4. In the box, type the e-mail address that will receive SophosAdmin e-mail data file update notifications. For example - admin@ example.net.
    5. In the Custom message subject box, type Sophos Data File Updated.
    6. Click OK to check your configuration and save it as a candidate configuration.
  3. Configure a profile for the sophos-engine and set parameters.
    1. Click the Configure tab from the taskbar and then select Security>UTM>Anti-Virus. Click Add.
    2. In the Add profile box, click the Main tab.
    3. In the Profile name box, type sophos-prof1.
    4. In the Trickling timeout box, type 180.

      When enabling the trickling option, it is important to understand that trickling might send part of the file to the client during the antivirus scan. It is possible that some of the content could be received by the client and the client might become infected before the file is fully scanned.

    5. URI checking is on by default. To turn it off, clear yes in the URI check box.
    6. In the Content size Limit box, type 20000.
    7. In the Scan engine timeout box, type 1800.
  4. Configure fallback settings by clicking the Fallback settings tab. In this example, all fallback options are set to log and permit. Click Log and permit for the following items: Default action, Content size, Engine not ready, Timeout, Out of resource, Too many requests.
  5. Configure notification options by clicking the Notification options tab. You can configure notifications for both fallback blocking and fallback nonblocking actions and for virus detection.

    To configure notifications for Fallback settings:

    1. For Notification type, click Protocol.
    2. For Notify mail sender, click yes.
    3. In the Custom message box, type Fallback block action occurred.
    4. In the Custom message subject box, type ***Antivirus fallback Alert***.
  6. To configure notification options for virus detection, click the Notification options cont... tab.
    1. For the Notification type option button, select Protocol.
    2. For the Notify mail sender option button, select yes.
    3. In the Custom message box, type Virus has been detected.
    4. In the Custom message subject box, type ***Virus detected***.
  7. Click OK to check your configuration and save it as a candidate configuration.
  8. If you are done configuring the device, click Actions>Commit.

Step-by-Step Procedure

To configure the Sophos antivirus feature profile using the CLI:

The following example shows you how to create a custom Sophos profile. If you want to use the Juniper Networks preconfigured profile, use the profile named junos-sophos-av-defaults in your UTM policy. See Example: Configuring Sophos Antivirus UTM Policies.

  1. Select and configure the engine type. Because you are configuring Sophos antivirus, you configure sophos-engine.
  2. Commit the configuration.
  3. Select a time interval for updating the data files. The default antivirus pattern-update interval is 1440 minutes (every 24 hours). You can choose to leave this default, or you can change it. You can also force a manual update, if needed. To change the default from every 24 hours to every 48 hours:
  4. Configure the network device with the proxy server details, to download the pattern update from a remote server:
  5. In most circumstances, you will not need to change the URL to update the pattern database. If you do need to change this option, use the following command:
  6. You can configure the device to notify a specified administrator when data files are updated. This is an e-mail notification with a custom message and a custom subject line.
  7. Configure a list of fallback options as block, log and permit, or permit. The default setting is log-and-permit. You can use the default settings, or you can change them.

    Configure the content size action. In this example, if the content size is exceeded, the action taken is block.

    First create the profile named sophos-prof1.

    Configure the content size fallback-option to block.

    Configure the default fallback option to log-and-permit.

    Configure log-and-permit if the antivirus engine is not ready.

    Configure log-and-permit if the device is out of resources.

    Configure log-and-permit if a virus scan timeout occurs.

    Configure log-and-permit if there are too many requests for the virus engine to handle.

  8. Configure notification options. You can configure notifications for fallback blocking, fallback nonblocking actions, and virus detection.

    In this step, configure a custom message for the fallback blocking action and send a notification for protocol-only actions to the administrator and the sender.

  9. Configure a notification for protocol-only virus detection, and send a notification.
  10. Configure content size parameters.

    When you configure the content-size value, keep in mind that in certain cases, content size is available in the protocol headers, so the max-content-size fallback is applied before a scan request is sent. However, in many cases, content size is not provided in the protocol headers. In these cases, the TCP payload is sent to the antivirus scanner and accumulates until the end of the payload. If the accumulated payload exceeds the maximum content size value, then max-content-size fallback is applied. The default fallback action is log and permit, so you may want to change this option to block, in which case such a packet is dropped and a block message is sent to the client.

    In this example, if the content size exceeds 20 MB, the packet is dropped.

  11. URI checking is on by default. To turn off URI checking:
  12. Configure the timeout setting for the scanning operation to 1800 seconds.
  13. The Sophos Extensible List servers contain the virus and malware database for scanning operations. Set the response timeout for these servers to 3 seconds (the default is 2 seconds).
  14. Configure the Sophos Extensible List server retry option to 2 retries (the default is 1).
  15. Configure the trickling setting to 180 seconds. If you use trickling, you can also set timeout parameters. Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.

    When you enable the trickling option, keep in mind that trickling might send part of a file to the client during its antivirus scan. It is therefore possible that some of the content could be received by the client before the file has been fully scanned.

  16. Configure the antivirus module to use MIME bypass lists and exception lists. You can use your own custom object lists, or you can use the default list that ships with the device called junos-default-bypass-mime. In this example, you use the lists that you set up earlier.
  17. Configure the antivirus module to use URL bypass lists. If you are using a URL allowlist, this is a custom URL category you have previously configured as a custom object. URL allowlists are valid only for HTTP traffic. In this example you use the lists that you set up earlier.

Verification

Obtaining Information About the Current Antivirus Status

Purpose

Action

From operational mode, enter the show security utm anti-virus status command to view the antivirus status.

Meaning

  • Antivirus key expire date—The license key expiration date.

  • Update server—URL for the data file update server.

    • Interval—The time period, in minutes, when the device will update the data file from the update server.

    • Pattern update status—When the data file will be updated next, displayed in minutes.

    • Last result—Result of the last update. If you already have the latest version, this will display already have latest database.

  • Antivirus signature version—Version of the current data file.

  • Scan engine type—The antivirus engine type that is currently running.

  • Scan engine information—Result of the last action that occurred with the current scan engine.

Example: Configuring Sophos Antivirus UTM Policies

This example shows how to create a UTM policy for Sophos antivirus.

Requirements

Before you create the UTM policy, create custom objects and the Sophos feature profile.

  1. Configure UTM custom objects and MIME lists. See Example: Configuring Sophos Antivirus Custom Objects.
  2. Configure the Sophos antivirus feature profile. See Example: Configuring Sophos Antivirus Feature Profile.

Overview

After you have created an antivirus feature profile, you configure a UTM policy for an antivirus scanning protocol and attach this policy to a feature profile. In this example, HTTP will be scanned for viruses, as indicated by the http-profile statement. You can scan other protocols as well by creating different profiles or adding other protocols to the profile, such as: imap-profile, pop3-profile, and smtp-profile.

Configuration

GUI Step-by-Step Procedure

To configure a UTM policy for Sophos antivirus:

  1. Click the Configure tab from the taskbar, and then select Security>Policy>UTM Policies. Then click Add.
  2. Click the Main tab. In the Policy name box, type utmp3.
  3. Click the Anti-Virus profiles tab. In the HTTP profile list, select sophos-prof1.
  4. Click OK to check your configuration and save it as a candidate configuration.
  5. If you are done configuring the device, select Actions>Commit.

Step-by-Step Procedure

To configure a UTM policy for Sophos antivirus:

  1. Go to the edit security utm hierarchy.
  2. Create the UTM policy utmp3 and attach it to the http-profile sophos-prof1. You can use the default Sophos feature profile settings by replacing sophos-prof1 in the above statement with junos-sophos-av-defaults.

Verification

To verify the configuration, enter the show security utm utm-policy utmp3 command.

Example: Configuring Sophos Antivirus Firewall Security Policies

This example shows how to create a security policy for Sophos antivirus.

Requirements

Before you create the security policy, create custom objects, the Sophos feature profile, and the UTM policy.

  1. Configure UTM custom objects and MIME lists. See Example: Configuring Sophos Antivirus Custom Objects.
  2. Configure the Sophos antivirus feature profile. See Example: Configuring Sophos Antivirus Feature Profile.
  3. Configure a UTM policy. See Example: Configuring Sophos Antivirus UTM Policies.

Overview

Create a firewall security policy that will cause traffic from the untrust zone to the trust zone to be scanned by Sophos antivirus using the feature profile settings defined in Example: Configuring Sophos Antivirus Feature Profile. Because the match application configuration is set to any, all application types will be scanned.

Configuration

GUI Step-by-Step Procedure

To configure a security policy for Sophos antivirus:

  1. Configure the untrust to trust policy to match any source address or destination address, and select the applications to be scanned to any.
    1. Click the Configure tab from the taskbar, and then select Security>Policy>FW Policies. Then select Add.
    2. In the Policy Name box, type p3.
    3. In the Policy Action box, select permit.
    4. In the From Zone list, select untrust.
    5. In the To Zone list, select trust.
    6. In the Source Address and Destination Address boxes, make sure that Matched is set to any.
    7. In the Applications boxes, select any from the Application/Sets list, and move it to the Matched list.
  2. Attach the UTM policy named utmp3 to the firewall security policy. This will cause matched traffic to be scanned by the Sophos antivirus feature.
    1. From the Edit Policy box, click the Application Services tab.
    2. In the UTM Policy list, select utmp3.
  3. Click OK to check your configuration and save it as a candidate configuration.
  4. If you are done configuring the device, select Actions>Commit.

Step-by-Step Procedure

To configure a security policy for Sophos antivirus:

  1. Configure the untrust to trust policy to match any source-address.
  2. Configure the untrust to trust policy to match any destination-address.
  3. Configure the untrust to trust policy to match any application type.
  4. Attach the UTM policy named utmp3 to the firewall security policy. This will cause matched traffic to be scanned by the Sophos antivirus feature.

Verification

To verify the configuration, enter the show security policies command.

Example: Configuring Sophos Antivirus Scanner with SSL Forward Proxy

This example shows how to configure Sophos antivirus over SSL forward proxy to support HTTPS traffic passing through SRX Series devices.

Note

Starting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Sophos antivirus over SSL forward proxy supports HTTPS traffic.

Requirements

Before you begin, understand Sophos antivirus features. See Sophos Antivirus Features.

Overview

In this example, you configure Sophos antivirus over SSL forward proxy to support HTTPS traffic. You load the PKI certificate, generate a self-signed CA certificate, configure a trusted CA list, configure an SSL proxy profile using the root certificate, and enable SSL forward proxy. To configure UTM over SSL forward proxy, first match the source/destination/application, set up the SSL proxy service, and perform scanning to determine whether to block or permit the requests.

Note

The [edit security utm feature-profile] hierarchy level is deprecated in Junos OS Release 18.2R1. For more information, see UTM Overview.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the edit hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Sophos Antivirus over SSL forward proxy:

  1. Generate a self-signed CA certificate on the device.
  2. Configure a trusted CA list.
  3. Configure an SSL proxy profile using a root certificate.
  4. Enable SSL forward proxy.

Results

From configuration mode, confirm your configuration by entering the show security utm, show services, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Security PKI Local Certificate

Purpose

Verify the security PKI local certificate.

Action

From configurationl mode, enter the show security pki local-certificate command.

user@host# show security pki local-certificate

Meaning

The sample output confirms that the PKI local ceritificate ssl-inspect-ca is configured.

Verifying UTM Antivirus Statistics

Purpose

Verify UTM antivirus statistics.

Action

From operational mode, enter the show security utm anti-virus statistics command.

user@host> show security utm anti-virus statistics

Meaning

The sample output shows the list of UTM antivirus statistics.

Verifying UTM Antivirus Statistics Details

Purpose

Verify UTM antivirus statistics details.

Action

From operational mode, enter the show security utm anti-virus statistics detail command.

user@host> show security utm anti-virus statistics detail

Meaning

The sample output shows the list of antivirus statistics details.

Verifying UTM Antivirus Status

Purpose

Verify UTM antivirus status.

Action

From operational mode, enter the show security utm anti-virus status command to view the antivirus status.

user@host> show security utm anti-virus status

Meaning

  • Antivirus key expire date—The license key expiration date.

  • Update server—URL for the data file update server.

    • Interval—The time period, in minutes, when the device updates the data file from the update server.

    • Auto update status—Displays the next automatic update of the data file in minutes.

    • Last result—Result of the last database update.

  • Antivirus signature version—Version of the current antivirus signature data file.

  • Scan engine type—The antivirus scan engine type that is currently running.

  • Scan engine information—Result of the last action that occurred with the current scan engine.

Managing Sophos Antivirus Data Files

Before you begin:

  • Install a Sophos antivirus license. See the Installation and Upgrade Guide.

  • Configure Sophos as the antivirus feature for the device. See Example: Configuring Sophos Antivirus Feature Profile. To set the antivirus engine type, you run the set security utm feature-profile anti-virus type sophos-engine statement.

In this example, you configure the security device to update the data files automatically every 4320 minutes (every 3 days). The default data file update interval is 1440 minutes (every 24 hours).

To automatically update Sophos data files:

Note

The following commands are performed from CLI operational mode.

To manually update data files:

To manually reload data files:

To manually delete data files:

To check the status of antivirus, which also shows the data files version:

To check the status of the proxy server:

Release History Table
Release
Description
Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, HTTPS, FTP, SMTP, POP3, IMAP protocols is supported for Sophos antivirus, Web filtering and Content filtering security features of UTM.
The full file-based antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1x49-D10 and Junos OS Release 17.3R1 onwards.
Starting with Junos OS Release 12.3X48-D35 and Junos OS Release 17.3R1, the UTM Sophos antivirus (SAV) single session throughput is increased for optimizing tcp-proxy forwarding.
Starting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Sophos antivirus over SSL forward proxy supports HTTPS traffic.
Starting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Sophos antivirus over SSL forward proxy supports HTTPS traffic.