Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Prevent Virus Attacks by Using J-Web UTM Antivirus

 
Summary

Learn about Unified Threat Management (UTM) antivirus protection and how to configure UTM antivirus to prevent virus attacks on SRX Series devices by using J-Web. The UTM antivirus feature on the SRX Series device scans network traffic to protect your network from virus attacks and to prevent virus spread.

UTM Antivirus Overview

In today’s world, where cyber security threats are evolving and getting more sophisticated, protecting your network from virus attacks is extremely critical. The viruses, worms, and malware perform unwanted and malicious acts, such as damaging or deleting files, hacking personal data, affecting system performance, reformatting the hard disk, or using your computer to transmit viruses to other computers. The UTM antivirus software acts like a first line of defense against such security threats and prevents the spread of viruses into your network. It protects your network from virus attacks, unwanted computer malwares, spywares, rootkits, worms, phishing attacks, spam attacks, trojan horses, and so on.

Note

You must always ensure that the antivirus software and virus pattern database are up to date.

Juniper Networks offers the following UTM antivirus solutions:

  • On-device antivirus protection

    The on-device antivirus is an on-box solution. The on-device antivirus scan engine scans the data by accessing the virus pattern database that is locally stored on the device. It provides a full file-based antivirus scanning function that is available through a separately licensed subscription service.

    Note
    • The on-device Express or Kaspersky scan engine is not supported from Junos OS Release 15.1X49-D10 onwards; however, it is still applicable for Junos OS Release 12.3X48.

    • Starting in Junos OS Release 18.4R1, SRX Series devices support the Avira on-device antivirus scanning engine.

    • Avira on-device antivirus scanning engine is not supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550 HM devices.

  • Sophos antivirus protection

    Sophos antivirus is an in-the-cloud antivirus solution. The virus pattern and malware database is located on external servers maintained by Sophos (Sophos Extensible List) servers. The Sophos antivirus scanner also uses a local internal cache to maintain query responses from the external list server. We offer the Sophos antivirus scanning as a less CPU-intensive alternative to the full file-based antivirus feature.

Benefits of UTM Antivirus

  • The on-device antivirus solution:

    • Scans the application traffic locally without connecting to the Internet server to query whether the application traffic has virus.

    • Minimizes processing delays because the pattern database is locally stored and the scan engine is on-device.

  • The Sophos antivirus solution:

    • Avoids downloading and maintaining large pattern databases on the Juniper device because the virus pattern and malware database is located on external servers maintained by Sophos.

    • Improves lookup performance because the Sophos antivirus scanner uses a local internal cache to maintain query responses from the external list server.

    • Effectively prevents malicious content from reaching the endpoint client or server through the use of the Uniform Resource Identifier (URI) checking functionality.

Antivirus Workflow

Scope

Juniper Web (J-Web) Device Manager supports the UTM antivirus solution on SRX Series devices. In this example, you’ll use Sophos antivirus protection to do the following:

  1. Scan HTTP traffic from an Internet server to your computer for virus attacks.

  2. Define a custom message Virus Found! to be displayed when a virus is found while scanning the traffic.

  3. Allow traffic from a specific server (for example, 203.0.113.1).

Before You Begin

Topology

The topology used in this example comprises a PC connected to a UTM-enabled SRX Series device that has access to the Internet. You'll use J-Web to scan the HTTP requests sent to the Internet with this simple setup. You’ll then use Sophos antivirus protection to prevent virus attacks from the Internet to your PC.

Video

See the following video to learn how to configure UTM antivirus using J-Web.

 

Sneak Peek – J-Web UTM Antivirus Configuration Steps

Step

Action

Step 1

Configure antivirus custom object.

Here, you define the URL pattern list (safelist) of URLs or addresses that will be bypassed by antivirus scanning. After you create the URL pattern list, you will create a custom URL category list and add the pattern list to it.

Step 2

Configure an antivirus feature profile using the Sophos engine.

Here, you first define the default engine as Sophos. After the default configuration, you define the parameters that will be used for virus scanning in the feature profile.

Note: You must configure DNS servers before creating the antivirus profiles.

Step 3

Create a UTM policy for Sophos antivirus and apply the antivirus feature profile to the UTM policy.

Here, you use a UTM policy to bind a set of protocols (for example, HTTP) to the Sophos UTM feature profile. You can scan other protocols as well by creating different profiles or adding other protocols to the profile, such as imap-profile, pop3-profile, and smtp-profile.

Step 4

Create a security policy for Sophos antivirus and assign the UTM policy to the security policy.

Here, you use the security firewall and feature profile settings to scan the traffic from the untrust zone (INTERNET)to the trust zone (TRUST).

Step 5

Try to download an HTTP file from the safelisted URL and from the Internet.

Step 1: Configure Antivirus Custom Object

Step 1a: Configure a URL Pattern List That You Want to Bypass

In this step, you define a URL pattern list (safelist) of URLs or addresses that will be bypassed by antivirus scanning.

You are here (in the J-Web UI): Configure > Security Services > UTM > Custom Objects

To configure the safelist of URLs:

  1. Click the URL Pattern List tab.
  2. Click the add icon (+) to add a URL pattern list.

    The Add URL Pattern List page appears. See Figure 1.

  3. Complete the tasks listed in the Action column in Table 1.

    Table 1: URL Pattern List Settings

    Field

    Action

    Name

    Type LB-Pattern.

    Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. You can use a maximum of 29 characters.

    Value

    1. Click + to add a URL pattern value.
    2. Type http://203.0.113.1.
    3. Click the tick icon .
    Figure 1: Add URL Pattern List
    Add URL Pattern List
  4. Click OK to save the URL pattern list configuration.

Good job! Here's the result of your configuration:

Step 1b: Categorize the URLs That You Want to Allow

You'll now assign the created URL pattern to a URL category list. The category list defines the action of mapping. For example, the Safelist category should be permitted.

You are here: Configure > Security > UTM > Custom Objects

To categorize URLs:

  1. Click the URL Category List tab.
  2. Click the add icon (+) to add a URL category list.

    The Add URL Category List page appears. See Figure 2.

  3. Complete the tasks listed in the Action column in Table 2.

    Table 2: URL Category List Settings

    Field

    Action

    Name

    Type LB-AV as the URL category list name for the safelisted URL pattern.

    Note: Use a string beginning with a letter or underscore and consisting of alphanumeric characters and special characters such as dashes and underscores. You can use a maximum of 59 characters.

    URL Patterns

    Select the URL pattern value LB-Pattern from the Available column and click the right arrow to move the URL pattern values to the Selected column. By doing this, you associate the URL pattern value LB-Pattern with the URL category list LB-AV.

    Figure 2: Add URL Category List
    Add URL Category List
  4. Click OK to save the category list configuration.

    Good job! Here's the result of your configuration:

Step 2: Configure Antivirus Feature Profile

You now need to refer the created URL objects (patterns and categories) to a UTM antivirus profile. This mapping helps you set different values for the filtering behavior of your device.

Step 2a: Update Default Configuration for Antivirus

You are here: Configure > Security Services > UTM

In this step, you’ll set up Sophos Engine as the default engine type.

To update the default antivirus profile:

  1. Click Default Configuration.

    The Default Configuration page appears.

  2. On the Anti-Virus tab, click the edit icon (pencil) to edit the default configuration.

    The Anti Virus page appears. See Figure 3.

  3. Complete the tasks listed in the Action column in Table 3.

    Table 3: Default Configuration Settings

    Field

    Action

    Type

    Select the Sophos Engine type for the antivirus.

    URL Whitelist

    Select None.

    MIME Whitelist

    List

    Select None.

    Exception

    Select None.

    Figure 3: Default Antivirus Configuration
    Default
Antivirus Configuration
  4. Click OK to save the new default configuration.

Step 2b: Create Antivirus Feature Profile

You are here: Configure > Security Services > UTM

In this step, you’ll create a new UTM antivirus profile, refer the created URL objects (patterns and categories) to the profile, and specify the notification details.

To create the new antivirus profile:

  1. Select Configure > Security Services > UTM > Antivirus Profiles.

    The Antivirus Profiles page appears.

  2. Click the add icon (+) to add a new antivirus profile.

    The Create Antivirus Profiles page appears. See Figure 4.

  3. Complete the tasks listed in the Action column in Table 4.

    Table 4: Antivirus Profile Settings

    Field

    Action

    General

    Name

    Type UTM-LB-AV for the new antivirus profile.

    Note: You can use a maximum of 29 characters.

    URL Whitelist

    Select LB-AV from the drop-down list.

    Fallback Options

    Content Size

    Select Log and Permit.

    Notification Options

    Virus Detection

    Select Notify Mail Sender.

    Notification Type

    Select Message.

    Custom Message Subject

    Type ***Antivirus Alert***.

    Custom Message

    Type Virus Found !.

    Figure 4: Create Antivirus Profile General Settings
    Create
Antivirus Profile General Settings
    Figure 5: Create Antivirus Profile Notification Settings
    Create Antivirus
Profile Notification Settings
  4. Click Finish. Review the summary of the configuration and click OK to save your configuration.
  5. Click Close after you see a successful-configuration message.

    Good job! Here's the result of your configuration:

Step 3: Apply the Antivirus Feature Profile to a UTM Policy

After you’ve created the antivirus feature profile, you configure a UTM policy for an antivirus scanning protocol and attach this policy to the feature profile created in Step 2: Configure Antivirus Feature Profile. In this example, you’ll scan HTTP traffic for viruses.

You are here: Configure > Security Services > UTM > Policy

To create a UTM policy:

  1. Click the add icon (+).

    The Create UTM Policies page appears.

  2. Complete the tasks listed in the Action column in Table 5:

    Table 5: Create UTM Policies Settings

    Field

    Action

    General

    Name

    Type UTM-LB as the name of the UTM policy and click Next.

    Note: You can use a maximum of 29 characters.

    Antivirus

    HTTP

    Select UTM-LB-AV from the drop-down list and click OK.

  3. Click Finish. Review the summary of the configuration and click OK to save the changes.
  4. Click Close after you see a successful-configuration message.

    Almost there! Here's the result of your configuration:

Step 4: Assign the UTM Policy to a Security Firewall Policy

In this step, you create a firewall security policy that will cause traffic passing from the untrust zone (INTERNET) to the trust zone (TRUST) to be scanned by Sophos antivirus using the feature profile settings.

You haven’t yet assigned the UTM configurations to the security policy from the TRUST zone to the INTERNET zone. Filtering actions are taken only after you assign the UTM policy to security policy rules that act as the match criteria.

When the security policy rules are permitted, the SRX Series device:

  1. Intercepts an HTTP connection and extracts each URL (in the HTTP request) or IP address.

    Note

    For an HTTPS connection, antivirus is supported through SSL forward proxy.

  2. Searches for URLs in the user-configured safelist under Antivirus (Configure > Security Services > UTM > Default Configuration). Then, if the URL is in the user-configured safelist, the device permits the URL.

  3. Allows or blocks the URL (if a category is not configured) based on the default action configured in the antivirus profile.

You are here: Configure > Security Services > Security Policy > Rules

To create security policy rules for the UTM policy:

  1. Click the add icon (+).

    The Create Rule page appears.

  2. Complete the tasks listed in the Action column in Table 6:

    Table 6: Rule Settings

    Field

    Action

    General

    Rule Name

    Type UTM-AV-LB as the security policy rule name. This rule allows the URLs in the LB-AV category list.

    Rule Description

    Enter a description for the security policy rule and click Next.

    Source

    Zone

    Select TRUST from the drop-down list.

    Address(es)

    Leave this field with the default value any.

    Destination

    Zone

    Select INTERNET from the drop-down list.

    Addresses

    Leave this field with the default value any.

    Service(s)

    Leave this field with the default value any.

    Advanced Security

    Rule Action

    Select Permit from the drop-down list.

    UTM

    Select UTM-LB from the UTM drop-down list.

    Note

    Navigate to Configure > Security Services > Security Policy > Objects > Zones/Screens to create Zones. Creating zones is outside the scope of this documentation.

  3. Click Finish. Review the summary of the configuration and click OK to save your configuration.

    Good job! Here's the result of your configuration:

  4. Click the commit icon (at the right side of the top banner) and select Commit.

    The successful-commit message appears.

    Congratulations! We’re now ready to scan the traffic for virus attacks.

Verify That UTM Antivirus Is Working

Purpose

Verify that your configured UTM antivirus is preventing virus attacks from the Internet server and allowing traffic from the safelist server.

Action

  • Open a browser, enter www.eicar.org, and try to download a file using standard HTTP protocol.

    Sorry! The SRX Series device has blocked downloading the file and sent you a custom block message ***Antivirus Alert***- Virus Found!.

  • Open a browser, enter https://203.0.113.1, and try to download a file using standard HTTP protocol.

    Good job! The file is successfully downloaded to your system.

What’s Next?

If you want to

Then

Monitor UTM antivirus details and statistics

In J-Web, go to Monitor > Security Services > UTM > Anti Virus

Generate and view reports on URLs allowed and blocked

To generate and view reports:

  1. Log in to J-Web UI and click Reports.

    The Reports page appears.

  2. Select any of the following predefined report name.
    • Threat Assessment Report

    • Viruses Blocked

    Note: You can't generate more than one report at the same time.

  3. Click Generate Report.

    The Report Title page appears.

  4. Enter the required information and click Save.

    A reported is generated.

Learn more about UTM features

See Unified Threat Management User Guide

Sample Configuration Output

In this section, we present samples of configurations that block virus attacks from the websites defined in this example.

You configure the following UTM configurations at the [edit security utm] hierarchy level.

Creating custom objects at the [edit security utm] hierarchy level:

Creating the antivirus profile at the [edit security utm] hierarchy level:

Creating the UTM policy:

Creating rules for a security policy at the [edit security policies] hierarchy level.: