Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

advanced-anti-malware policy

 

Syntax

Release Information

Command introduced in Junos OS Release 15.1X49-D33.

Description

The connection to the Juniper Advanced Threat Prevention Cloud is launched on-demand. It is established only when a condition is met and a file or URL must be sent to the cloud. The cloud inspects the file and returns a verdict number (1 through 10). A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series device compares this verdict number to the Juniper Advanced Threat Prevention Cloud policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.

Juniper Advanced Threat Prevention Cloud policies append to the Junos OS security policies by defining the actions to take when a file is considered malware or when an attempt is made to download a file from a location that’s on a custom blocklist or allowlist.

Use this command to configure the Juniper Advanced Threat Prevention Cloud policy.

Options

policy-nameName of the Juniper Advanced Threat Prevention Cloud policy.
Note

Starting in Junos OS Release 18.2R1, for unified policies, a default-policy can be used for anti-malware and security-intelligence policies. The commands are: set services security-intelligence default-policy and set services advanced-anti-malware default-policy. During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different security intelligence or anti-malware policies, the SRX Series device applies the default policy until a more explicit match has occurred. See the Juniper ATP Cloud Administration Guide and your SRX Series documentation for more details on unified policies.

blacklist-notification(Optional) Create a system log entry when an attempt to access a website listed in the blocklist file is made. Use blacklist-notification log to create a log entry. If you do not want to create a log entry, do not specify the blacklist-notification option.
default-notificationCreate a system log entry if the cloud returns a verdict number less than the verdict-threshold. Use default-notification log to create a log entry. If you do not want to create a log entry, do not specify the default-notification option.
fallback-options (action block | action permit)The action to take when the SRX Series device runs out of resources or the connection to the cloud is lost. The default is action permit.
fallback-options(Optional) Create a system log entry when fallback occurs. Use fallback-options notification log to create a log entry. If you do not want to create a log entry, do not specify the fallback-options notification option.
http(s) client-notify (message | file | redirect-url)(Starting in Junos OS release 19.3R1) This command allows you to configure HTTP URL redirection for a customized client notification based on detected malware with the block action.
http(s) file-verdict-unknown (permit | block)(Starting in Junos 19.3R1) This command allows you to permit or block malware based on the detected malware having a verdict of “unknown.” By default, “unknown” malware is permitted.
inspection-profileName of the Juniper Advanced Threat Prevention Cloud profile. This profile defines what file types or file categories are to be sent to the cloud for inspection.
match verdict-thresholdThe verdict-threshold defines the number at which you want to label a file as malware. For example, if you set verdict-threshold to 7 and the cloud returns a verdict number of 7 or greater, then that file is considered malware. verdict-threshold can be any number between 1 and 10, inclusive.
then notification(Optional) Create a system log entry if the cloud returns a verdict number equal to or greater than the verdict-threshold. Use then notification log to create a log entry. If you do not want to create a log entry, do not specify the then notification option.
whitelist-notification(Optional) Create a system log entry when an attempt to access a website listed in the allowlist file is made. Use whitelist-notification log to create a log entry. If you do not want to create a log entry, do not specify the whitelist-notification option.

Table 1 shows examples of using the Juniper Advanced Threat Prevention Cloud policy options.

Table 1: Juniper Advanced Threat Prevention Cloud Security Policy Additions

Addition

Description

Action and notification based on the verdict number and threshold

Defines the threshold value and what to do when the verdict number is greater than or equal to the threshold. For example, if the threshold is 7 and Juniper Advanced Threat Prevention Cloud returns a verdict number of 9 for a file, then that file is blocked from being downloaded and a log entry is created.

set services advanced-anti-malware policy aamwpol1  match verdict-threshold 7

set services advanced-anti-malware policy aamwpol1 then action block

set services advanced-anti-malware policy aamwpol1 then notification log

Default action and notification

Defines what to do when the verdict number is less than the threshold. For example, if the threshold is 7 and Juniper Advanced Threat Prevention Cloud returns a verdict number of 3 for a file, then that file is allowed to be downloaded and create a log entry.

set services advanced-anti-malware policy aamwpol1 default-notification log

Name of the inspection profile

Name of the Juniper Advanced Threat Prevention Cloud profile that defines the types of file to scan.

set services advanced-anti-malware policy aamwpol1  inspection-profile profile1

Fallback options

Defines what to do when error conditions occur or when there is a lack of resources. The following fallback options are available:

  • action—Permit or block the file regardless of its threat level.

  • notification—Add or do not add this event to the log file.

set services advanced-anti-malware policy aamwpol1 fallback-options action block
set services advanced-anti-malware policy aamwpol1 fallback-options notification log

Blocklist notification

Defines whether to create a log entry when attempting to download a file from a site listed in the blocklist file.

set services advanced-anti-malware policy aamwpol1 blacklist-notification log

Whitelist notification

Defines whether to create a log entry when attempting to download a file from a site listed in the allowlist file.

set services advanced-anti-malware policy aamwpol1 whitelist-notification log

User notification of malware on block action

(Starting in Junos 19.3R1) This command allows you to configure HTTP and HTTPS URL redirection for a customized client notification based on detected malware with the block action. A block message can only be sent when a block action is configured.

Note: See request services advanced-anti-malware redirect-file for details on adding a custom file.

set services advanced-anti-malware policy p1 http client-notify message
set services advanced-anti-malware policy p1 http client-notify file
set services advanced-anti-malware policy p1 http client-notify redirect-url <enter URL>

Block or permit malware when file verdict is “unknown”

(Starting in Junos 19.3R1) This command allows you to permit or block malware based on the detected file having a verdict of “unknown.” By default, an “unknown” file verdict is permitted. (Note this only applies to HTTP and HTTPS traffic.)

set services advanced-anti-malware policy p1 http file-verdict-unknown <block|permit>

Additional Information

The easiest way to verify that the policy is working as expected is to test data traffic. You can also inspect the SRX session table:

Use the show services advanced-anti-malware policy CLI command to view your Juniper Advanced Threat Prevention Cloud policy settings.

Required Privilege Level

view

Related Documentation

List of Sample Output

Output Fields

This command has no output.