Sophos Antivirus Protection on NFX Devices

Sophos Antivirus Protection Overview

Sophos supports the same protocols as full antivirus and functions in much the same manner; however, it has a smaller memory footprint and is compatible with lower end devices that have less memory.

Sophos antivirus is an in-the-cloud antivirus solution. The virus pattern and malware database is located on external servers maintained by Sophos (Sophos Extensible List) servers, thus there is no need to download and maintain large pattern databases on the Juniper device. The Sophos antivirus scanner also uses a local internal cache to maintain query responses from the external list server to improve lookup performance.

Because a significant amount of traffic processed by Juniper Unified Threat Management (UTM) is HTTP based, Uniform Resource Identifier (URI) checking is used to effectively prevent malicious content from reaching the endpoint client or server. The following checks are performed for HTTP traffic: URI lookup, true file type detection, and file checksum lookup. The following application layer protocols are supported: HTTP, FTP, SMTP, POP3 and IMAP.

Sophos Antivirus Features

Sophos antivirus has the following main features:

• Sophos antivirus expanded MIME decoding support—Sophos antivirus offers decoding support for HTTP, POP3, SMTP, and IMAP. MIME decoding support includes the following for each supported protocol:

  • Multipart and nested header decoding

  • Base64 decoding, printed quote decoding, and encoded word decoding in the subject field

• Sophos antivirus supports HTTPS traffic— Sophos antivirus over SSL forward proxy does so by intercepting HTTPS traffic passing through the device. The security channel from the device is divided as one SSL channel between the client and the device, and another SSL channel between the device and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to UTM. UTM extracts the URL and the file checksum information from cleartext traffic. The Sophos antivirus scanner determines whether to block or permit the requests.

  SSL forward proxy does not support client authentication. If client authentication is required by the server, UTM bypasses the traffic. UTM bypasses the HTTPS traffic under the following conditions:

  • If SSL proxy does not parse the first handshake packet from the client, SSL forward proxy bypasses the traffic.

  • If the SSL proxy handshake with the client and server is incomplete because of compatibility issues, connection drops.

  • If the system resource is low, SSL forward proxy cannot handle the new connection and Sophos antivirus bypasses the traffic.

  • If HTTPS traffic hits the whitelist of SSL forward proxy, SSL forward proxy and Sophos antivirus bypass the traffic.

• Sophos antivirus scan result handling—With Sophos antivirus, the TCP, traffic is closed gracefully when a virus is found and the data content is dropped.

  The following fail mode options are supported: content-size, default, engine-not-ready, out-of-resource, timeout, and too-many-requests. You can set the following actions: block, log-and-permit, and permit. Fail mode handling of supported options with Sophos is much the same as with full antivirus.

• Sophos Uniform Resource Identifier checking—Sophos provides Uniform Resource Identifier (URI) checking, which is similar to antispam realtime blackhole list (RBL) lookups. URI checking is a way of analyzing URI content in HTTP traffic against the Sophos database to identify malware or malicious content. Because malware is predominantly static, a checksum mechanism is used to identify malware to improve performance. Files that are capable of using a checksum include .exe, .zip, .rar, .swf, .pdf, and .ole2 (doc and xls).

  Note

  If you have a Juniper Networks device protecting an internal network that has no HTTP traffic, or has webservers that are not accessible to the outside world, you might want to turn off URI checking. If the webservers are not accessible to the outside world, it is unlikely that they contain URI information that is in the Sophos URI database. URI checking is on by default.

Understanding Sophos Antivirus Data File Update

Sophos antivirus uses a small set of data files that need to be updated periodically. These data files only contain information on guiding scanning logic and do not contain the full pattern database. The main pattern database, which includes protection against critical viruses, URI checks, malware, worms, Trojans, and spyware, is located on remote Sophos Extensible List servers maintained by Sophos.

• The signature database auto-update interval is once a day by default. This interval can be changed.

• There is no interruption in virus scanning capability during the data file update. If the update fails, the existing data files will continue to be used.

• By default, the URL for Sophos antivirus data file update is http://update.juniper-updates.net/SAV/.

Sophos Antivirus Configuration Overview

1. Configure UTM custom objects and MIME lists. See Configuring Sophos Antivirus Custom Objects.
2. Configure the Sophos antivirus feature profile. See Configuring Sophos Antivirus Feature Profile.
3. Configure a UTM policy. See Configuring Sophos Antivirus UTM Policies.
4. Configure a security policy. See Configuring Sophos Antivirus Firewall Security Policies.

Configuring Sophos Antivirus Custom Objects

To configure antivirus protection using the CLI, you must create your custom objects in the following order:

1. Configure MIME lists. This includes creating a MIME whitelist and a MIME exception list for antivirus scanning. In this procedure, you bypass scanning of QuickTime videos, unless if they contain the MIME type quicktime-inappropriate.Warning

   When you configure the MIME whitelist feature, be aware that, because header information in HTTP traffic can be spoofed, you cannot always trust HTTP headers to be legitimate. When a Web browser is determining the appropriate action for a given file type, it detects the file type without checking the MIME header contents. However, the MIME whitelist feature does refer to the MIME encoding in the HTTP header. For these reasons, it is possible in certain cases for a malicious website to provide an invalid HTTP header. For example, a network administrator might inadvertently add a malicious website to a MIME whitelist, and, because the site is in the whitelist, it will not be blocked by Sophos even though Sophos has identified the site as malicious in its database. Internal hosts would then be able to reach this site and could become infected.

   1. Create the MIME whitelist.

   2. Create the MIME exception list.
2. Configure a URL pattern list (whitelist) of URLs or addresses that you want to bypass. After you create the URL pattern list, you create a custom URL category list and add the pattern list to it. Configure a URL pattern list custom object by creating the list name and adding values to it as follows. Note

   Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category lists.

   Note

   URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can only use “*” if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

   The following wildcard syntax is supported: http://*.example.net, http://www.example.ne?, http://www.example.n??. The following wildcard syntax is not supported: *.example.net , www.example.ne?, http://*example.net, http://*.

3. Configure a custom URL category list custom object by using the URL pattern list urllist2 that you created earlier:

To verify the configuration, enter the show security utm custom-objects command.

Configuring Sophos Antivirus Feature Profile

This procedure shows you how to configure a Sophos antivirus profile that defines the parameters that will be used for virus scanning.

1. Select and configure the engine type. Because you are configuring Sophos antivirus, you configure sophos-engine.
2. Commit the configuration.
3. Select a time interval for updating the data files. The default antivirus pattern-update interval is 1440 minutes (every 24 hours). You can choose to leave this default, or you can change it. You can also force a manual update, if needed. To change the default from every 24 hours to every 48 hours:
4. Configure the network device with the proxy server details, to download the pattern update from a remote server:
5. In most circumstances, you will not need to change the URL to update the pattern database. If you do need to change the URL, use the following command:
6. You can configure the device to notify a specified administrator when data files are updated. This is an e-mail notification with a custom message and a custom subject line.
7. Configure a list of fallback options as block, log and permit, or permit. The default setting is log-and-permit. You can use the default settings, or you can change them.

   Configure the content size action. In this example, if the content size is exceeded, the action taken is block.

   Create the profile named sophos-prof1.

   Configure the content size fallback-option to block.

   Configure the default fallback option to log-and-permit.

   Configure log-and-permit if the antivirus engine is not ready.

   Configure log-and-permit if the device is out of resources.

   Configure log-and-permit if a virus scan timeout occurs.

   Configure log-and-permit if there are too many requests for the virus engine to handle.
8. Configure notification options. You can configure notifications for fallback blocking, fallback nonblocking actions, and virus detection.

   In this step, configure a custom message for the fallback blocking action and send a notification for protocol-only actions to the administrator and the sender.
9. Configure a notification for protocol-only virus detection, and send a notification.
10. Configure content size parameters. Note

    When you configure the content-size value, keep in mind that in certain cases, content size is available in the protocol headers, so the max-content-size fallback is applied before a scan request is sent. However, in many cases, content size is not provided in the protocol headers. In these cases, the TCP payload is sent to the antivirus scanner and accumulates until the end of the payload. If the accumulated payload exceeds the maximum content size value, then max-content-size fallback is applied. The default fallback action is log and permit, so you may want to change this option to block, in which case such a packet is dropped and a block message is sent to the client.

    In this example, if the content size exceeds 20 MB, the packet is dropped.
11. URI checking is on by default. To turn off URI checking:
12. Configure the timeout setting for the scanning operation to 1800 seconds.
13. The Sophos Extensible List servers contain the virus and malware database for scanning operations. Set the response timeout for these servers to 3 seconds (the default is 2 seconds).
14. Configure the Sophos Extensible List server retry option to 2 retries (the default is 1).
15. Configure the trickling setting to 180 seconds. If you use trickling, you can also set timeout parameters. Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.Warning

    When you enable the trickling option, keep in mind that trickling might send part of a file to the client during its antivirus scan. It is therefore possible that some of the content could be received by the client before the file has been fully scanned.
16. Configure the antivirus module to use MIME bypass lists and exception lists. You can use your own custom object lists, or you can use the default list that ships with the device called junos-default-bypass-mime. In this example, you use the lists that you set up earlier.
17. Configure the antivirus module to use URL bypass lists. If you are using a URL whitelist, this is a custom URL category you have previously configured as a custom object. URL whitelists are valid only for HTTP traffic. In this example you use the lists that you set up earlier.

To view the antivirus status, enter the show security utm anti-virus status command.

Configuring Sophos Antivirus UTM Policies

After you have created an antivirus feature profile, you configure a UTM policy for an antivirus scanning protocol and attach this policy to a feature profile. In this procedure, HTTP will be scanned for viruses, as indicated by the http-profile statement. You can scan other protocols as well by creating different profiles or adding other protocols to the profile, such as: imap-profile, pop3-profile, and smtp-profile.

1. Go to the edit security utm hierarchy.
2. Create the UTM policy utmp3 and attach it to the http-profile sophos-prof1.
   Note

   You can use the default Sophos feature profile settings by replacing sophos-prof1 in the above statement with junos-sophos-av-defaults.

To verify the configuration, enter the show security utm utm-policy utmp3 command.

Configuring Sophos Antivirus Firewall Security Policies

This procedure describes how to create a firewall security policy that will cause traffic from the untrust zone to the trust zone to be scanned by Sophos antivirus using the feature profile settings defined in Configuring Sophos Antivirus Feature Profile. Because the match application configuration is set to any, all application types will be scanned.

1. Configure the untrust to trust policy to match any source-address.
2. Configure the untrust to trust policy to match any destination-address.
3. Configure the untrust to trust policy to match any application type.
4. Attach the UTM policy named utmp3 to the firewall security policy. This will cause matched traffic to be scanned by the Sophos antivirus feature.

To verify the configuration, enter the show security policies command.

Managing Sophos Antivirus Data Files

In this example, you configure the device to update the data files automatically every 4320 minutes (every 3 days).

To check the status of antivirus, which also shows the data files version:

To check the status of the proxy server: