Express Antivirus Protection Overview

Express antivirus scanning is offered as a less CPU intensive alternative to the full file-based antivirus feature. Express antivirus supports the same protocols as full antivirus and functions in much the same manner, however, it has a smaller memory footprint, compatible with the smaller system memory present on lower end devices.

Note: If you switch from express antivirus protection to full file-based antivirus protection, you must reboot the device in order for full file-based antivirus to begin working.

This topic includes the following sections:

• Express Antivirus Packet-Based Scanning Versus File-Based Scanning
• Express Antivirus Expanded MIME Decoding Support
• Express Antivirus Scan Result Handling
• Express Antivirus Intelligent Prescreening
• Express Antivirus Limitations

Express Antivirus Packet-Based Scanning Versus File-Based Scanning

Express antivirus uses a different antivirus scan engine than the full file-based antivirus feature and a different back-end hardware engine to accelerate pattern matching for higher data throughput.

The packet based scanning done by express antivirus provides virus scanning data buffers without waiting for entire file to be received by the firewall, whereas the file-based scanning done by full antivirus can only start virus scanning when entire file is received.

Express Antivirus Expanded MIME Decoding Support

Express antivirus offers MIME decoding support for HTTP, POP3, SMTP, and IMAP. MIME decoding support includes the following for each supported protocol:

• Multi-part and nested header decoding
• Base64 decoding, printed quote decoding, and encoded word decoding (in the subject field)

Express Antivirus Scan Result Handling

With express antivirus, the TCP traffic is closed gracefully when a virus is found and the data content is dropped.

Note: Express antivirus supports the following fail mode options: default, engine-not-ready, out-of-resource, and too-many-requests. Fail mode handling of supported options with express antivirus is much the same as with full antivirus.

Express Antivirus Intelligent Prescreening

Intelligent prescreening functionality is identical in both express antivirus and full antivirus.

Express Antivirus Limitations

Express antivirus has the following limitations when compared to full antivirus functionality:

• Express antivirus provides limited support for the scanning of file archives and compressed file formats. Express antivirus can only support gzip, deflate and compressed compressing formats.
• Express antivirus provides limited support for decompression. Decompression is only supported with HTTP (supports only gzip, deflate, and compress for HTTP and only supports one layer of compression) and POP3 (supports only gzip for POP3 and only supports one layer of compression).
• Express antivirus does not support scanning by extension.
• Express antivirus scanning is interrupted when the scanning database is loading.
• Express antivirus may truncate a warning message if a virus has been detected and the replacement warning message that is sent is longer than the original content it is replacing.

Note: Because express antivirus does only packet based string matching, if you use the standard EICAR file to test express antivirus, you will see false positives. To avoid these false positives, Juniper has disabled scanning on the standard EICAR file to create a modified EICAR file for testing express antivirus. You can download this modified EICAR file from the following links: https://www.juniper.net/security/avtest/ss-eicar.txt https://www.juniper.net/security/avtest/ss-eicar.com https://www.juniper.net/security/avtest/ss-eicar.zip

Related Topics

Junos OS Feature Support Reference for SRX Series and J Series Devices