Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Express Antivirus Protection

Express antivirus scanning is offered as a less CPU intensive alternative to the full file-based antivirus feature. Express antivirus supports the same protocols as full antivirus and functions in much the same manner. For more information, see the following topics:

Express Antivirus Protection Overview

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, Express antivirus scanning is offered as a less CPU intensive alternative to the full file-based antivirus feature. Express antivirus supports the same protocols as full antivirus and functions in much the same manner, however, it has a smaller memory footprint, compatible with the smaller system memory present on lower end devices. The express antivirus feature, like the full antivirus feature, scans specific Application Layer traffic for viruses against a virus signature database. However, unlike full antivirus, express antivirus does not reconstruct the original application content. Rather, it just sends (streams) the received data packets, as is, to the scan engine. With express antivirus, the virus scanning is executed by a hardware pattern matching engine. This improves performance while scanning is occurring, but the level of security provided is lessened. Juniper Networks provides the scan engine. The express antivirus scanning feature is a separately licensed subscription service.

This topic includes the following sections:

Express Antivirus Packet-Based Scanning Versus File-Based Scanning

Express antivirus uses a different antivirus scan engine than the full file-based antivirus feature and a different back-end hardware engine to accelerate pattern matching for higher data throughput.

The packet-based scanning done by express antivirus provides virus scanning data buffers without waiting for entire file to be received by the firewall, whereas the file-based scanning done by full antivirus can only start virus scanning when entire file is received.

Express Antivirus Expanded MIME Decoding Support

Express antivirus offers MIME decoding support for HTTP, POP3, SMTP, and IMAP. MIME decoding support includes the following for each supported protocol:

  • Multi-part and nested header decoding

  • Base64 decoding, printed quote decoding, and encoded word decoding (in the subject field)

Express Antivirus Scan Result Handling

With express antivirus, the TCP traffic is closed gracefully when a virus is found and the data content is dropped.

Express antivirus supports the following fail mode options: default, engine-not-ready, out-of-resource, and too-many-requests. Fail mode handling of supported options with express antivirus is much the same as with full antivirus.

Express Antivirus Intelligent Prescreening

Intelligent prescreening functionality is identical in both express antivirus and full antivirus.

Express Antivirus Limitations

Express antivirus has the following limitations when compared to full antivirus functionality:

  • Express antivirus provides limited support for the scanning of file archives and compressed file formats. Express antivirus can only support gzip, deflate and compressed compressing formats.

  • Express antivirus provides limited support for decompression. Decompression is only supported with HTTP (supports only gzip, deflate, and compress for HTTP and only supports one layer of compression) and POP3 (supports only gzip for POP3 and only supports one layer of compression).

  • Express antivirus does not support scanning by extension.

  • Express antivirus scanning is interrupted when the scanning database is loading.

  • Express antivirus may truncate a warning message if a virus has been detected and the replacement warning message that is sent is longer than the original content it is replacing.

  • If you switch from express antivirus protection to full file-based antivirus protection, you must reboot the device in order for full file-based antivirus to begin working.

  • The modified EICAR file must be tested with express antivirus only. The Kaspersky antivirus and Sophos antivirus do not detect this file.

  • The express antivirus feature provides better performance but lower security. If you switch from full file-based antivirus protection to express antivirus protection, you must reboot the device in order for express antivirus to begin working.

Express Antivirus Configuration Overview

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, for each UTM feature, you should configure feature parameters in the following order:

  1. Configure UTM custom objects for the UTM features. The following example enables the mime-pattern, url-pattern, and custom-url-category custom objects:
  2. Configure main feature parameters using feature profiles. The following examples enables the anti-virus feature profile:
  3. Configure a UTM policy for each protocol and attach this policy to a profile. The following example creates the utmp3 UTM policy for the HTTP protocol:
  4. Attach the UTM policy to a security policy. The following example attaches the utmp3 UTM policy to the p3 security policy:

Example: Configuring Express Antivirus Custom Objects

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure express antivirus custom objects.

Requirements

Before you begin:

Overview

In this example, you define custom objects that are used to create express antivirus feature profiles. You perform the following tasks to define custom objects:

  • Create two MIME lists called avmime2 and ex-avmime2, and add patterns to the list.

  • Configure a URL pattern list called urllist2.

    When entering the URL pattern, note the following wildcard character support:

    • The \*\.[]\?* wildcard characters are supported.

    • You must precede all wildcard URLs with http://.

    • You can use the asterisk * wildcard character only if it is at the beginning of the URL and is followed by a period.

    • You can use the question mark ? wildcard character only at the end of the URL.

    • The following wildcard syntax is supported: http://*.example.net, http://www.example.ne?, http://www.example.n??.

    • The following wildcard syntax is not supported: *.example.net , www.example.ne?, http://*example.net, http://* .

    • Configure a custom URL category list called custurl2, using the urllist2 URL pattern list.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure express antivirus filtering custom objects:

  1. Create MIME lists, and add MIME patterns to the lists. As you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category list.

  2. Configure a URL pattern list custom object.

  3. Configure a custom URL category list.

Results

From configuration mode, confirm your configuration by entering the show security utm command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Express Antivirus Custom Objects

Purpose

Verify the express antivirus custom objects.

Action

From operational mode, enter the show configuration security utm command.

Configuring Express Antivirus Custom Objects (J-Web Procedure)

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure express antivirus protection using the J-Web configuration editor, you must first create your custom objects (MIME pattern list, URL pattern list, and custom URL category list).

Configure a MIME pattern list custom object as follows:

  1. Select Configure>Security>UTM Custom Objects.
  2. From the MIME Pattern List tab, click Add to create MIME pattern lists.
  3. In the Add MIME Pattern pop-up window, next to MIME Pattern Name, enter a unique name.

    Keep in mind that you are creating a MIME allowlist and a MIME exception list (if necessary). Both MIME lists appear in the MIME Allowlist and Exception MIME Allowlist fields when you configure antivirus. Therefore, the MIME list names you create should be as descriptive as possible.

  4. Next to MIME Pattern Value, enter the MIME pattern.
  5. Click Add to add your MIME pattern to the Values list box. Within this box, you can also select an entry and use the Delete button to delete it from the list. Continue to add MIME patterns in this manner.
  6. Optionally, create a new MIME list to act as an exception list. The exception list is generally a subset of the main MIME list.
  7. Click OK to check your configuration and save the selected values as part of the MIME list, then click Commit Options>Commit.
  8. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a URL pattern list custom object as follows:

Note:

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure a custom URL category list.

  1. Select Configure>Security>UTM>Custom Objects.

  2. From the URL Pattern List tab, click Add to create URL pattern lists.

  3. Next to URL Pattern Name, enter a unique name. This name appears in the Custom URL Category List Custom Object page for selection.

  4. Next to URL Pattern Value, enter the URL or IP address you want added to list for bypassing scanning.

    When entering the URL pattern, note the following wildcard character support:

    • The \*\.[]\?* wildcard characters are supported.

    • You must precede all wildcard URLs with http://.

    • You can only use the asterisk * wildcard character if it is at the beginning of the URL and is followed by a period.

    • You can only use the question mark ? wildcard character at the end of the URL.

    • The following wildcard syntax IS supported: http://*.example.net, http://www.example.ne?, http://www.example.n??.

    • The following wildcard syntax is NOT supported: *.example.net , www.example.ne?, http://*example.net, http://*.

  5. Click Add to add your URL pattern to the Values list box. The list can contain up to 8192 items. You can also select an entry and use the Delete button to delete it from the list. Continue to add URLs or IP addresses in this manner.

  6. Click OK to check your configuration and save the selected values as part of the URL pattern list, then click Commit Options>Commit.

  7. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a custom URL category list custom object using the URL pattern list that you created:

  1. Select Configure>Security>UTM>Custom Objects.

  2. From the URL Category List tab, click Add to create URL category lists.

  3. Next to URL Category Name, enter a unique name. This name appears in the URL Allowlist list when you configure antivirus global options.

  4. In the Available Values box, select a URL Pattern List name from the list for bypassing scanning and click the right arrow button to move it to the Selected Values box.

  5. Click OK to check your configuration and save the selected values as part of the URL list, then click Commit Options>Commit.

  6. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Example: Configuring Express Antivirus Feature Profiles

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure an express antivirus feature profile.

Requirements

Before you begin:

Overview

In this example, you configure a feature profile called junexprof1 and specify custom objects to be used for filtering content.

  • Select and configure the Juniper Express Engine as the engine type.

  • Select 120 as the time interval for updating the pattern database. The default antivirus pattern-update interval is once a day.

    Note:

    The command for changing the URL for the pattern database is:

    Under most circumstances, you should not need to change the default URL.

  • Enable an e-mail notification with a custom message as pattern file was updated and a custom subject line as AV pattern file updated.

  • Configure a list of fallback options as block.

  • Configure the notification options for fallback blocking for virus detection. Configure a custom message for the fallback blocking action, and send a notification.

  • Configure a notification for protocol-only virus detection, and send a notification as Antivirus Alert.

  • Configure content size parameters as 20000. For SRX100, SRX110, SRX210, SRX220, and SRX240 devices, the maximum value for content size is 20,000. For SRX650 devices, the maximum value for content size is 40,000. Platform support depends on the Junos OS release in your installation.

  • Enable intelligent prescreening and set its timeout setting to 1800 seconds and trickling setting (applicable only to HTTP) to 600 seconds. This means that if the device receives a packet within a 600-second period during a file transfer or while performing an antivirus scan, it should not time out.

    Intelligent prescreening is intended only for use with non-encoded traffic. It is not applicable to mail protocols (SMTP, POP3, IMAP) or HTTP POST.

  • Configure the antivirus scanner to use MIME bypass lists and exception lists. You can use your own custom object lists, or you can use the default list, called junos-default-bypass-mime, which ships with the device. The following example enables the avmime2 and ex-avmime2 lists.

  • Configure the antivirus module to use URL bypass lists. If you are using a URL allowlist (valid only for HTTP traffic), this is a custom URL category that you previously configured as a custom object. For this example, you enable the custurl1 bypass list.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure express antivirus feature profiles:

  1. Select and configure the engine type.

  2. Select a time interval for updating the pattern database.

  3. Configure the device to notify a specified administrator when patterns are updated.

  4. Create a profile for the Juniper Express Engine, and configure fallback options as block.

  5. Configure a custom notification for the fallback blocking action, and send a notification.

  6. Configure a notification for protocol-only virus detection, and send a notification.

  7. Configure a custom notification for virus detection.

  8. Configure content size parameter.

  9. Configure intelligent prescreening.

  10. Configure the timeout setting.

  11. Configure trickling setting.

  12. Configure the antivirus scanner to use MIME bypass lists and exception lists.

  13. Configure the antivirus module to use URL bypass lists.

Results

From configuration mode, confirm your configuration by entering the show security utm feature-profile anti-virus command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration of Express Antivirus Feature Profile

Purpose

Verify the express antivirus feature profile.

Action

From operational mode, enter any of the following commands:

  • show configuration security utm

  • show security utm anti-virus status

  • show security utm anti-virus statistics

Configuring Express Antivirus Feature Profiles (J-Web Procedure)

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, after you create your custom objects, configure the antivirus feature profile:

  1. Select Configure>Security>UTM>Global options.
  2. In the Anti-Virus tab, next to MIME allowlist, select the custom object you created from the list.
  3. Next to Exception MIME allowlist, select the custom object you created from the list.
  4. Next to URL Allowlist, select the custom object you created from the list.
  5. In the Engine Type section, select the type of engine you are using. For express antivirus protection, you should select Juniper Express.
  6. Next to Pattern update URL, enter the URL for the pattern database in the box. Note that the URL is http://update.juniper-updates.net/EAV/<device version> and you should not change it.
  7. Next to Pattern update interval, enter the time interval for automatically updating the pattern database in the box. The default for express antivirus checking is once per day.
  8. Select whether you want the pattern file to update automatically (Auto update) or not (No Auto update).
  9. Click OK to save the selected values.
  10. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.
  11. Under Security, in the left pane, select Anti-Virus.
  12. Click Add in the right window to create a profile for the antivirus Juniper Express Engine. To edit an existing item, select it and click Edit.
  13. In the Main tab, next to Profile name, enter a unique name for this antivirus profile.
  14. Select the Profile Type. In this case, select Juniper Express.
  15. Next to Trickling timeout, enter timeout parameters.

    Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.

  16. Next to Intelligent prescreening, select Yes or No.

    Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for mail protocols (SMTP, POP3, IMAP, and HTTP POST).

  17. Next to Content Size Limit, enter content size parameters. The content size check occurs before the scan request is sent. The content size refers to accumulated TCP payload size.
  18. Next to Scan engine timeout, enter scanning timeout parameters.
  19. Select the Fallback settings tab.
  20. Next to Default (fallback option), select Log and permit or Block from the list. In most cases, Block is the default fallback option.
  21. Next to Decompress Layer (fallback option), select Log and permit or Block from the list.
  22. Next to Content Size (fallback option), select Log and permit or Block from the list.
  23. Next to Engine Not Ready (fallback option), select Log and permit or Block from the list.
  24. Next to Timeout (fallback option), select Log and permit or Block from the list.
  25. Next to Out of Resource (fallback option), select Log and permit or Block from the list.
  26. Next to Too Many Requests (fallback option), select Log and permit or Block from the list.
  27. Select the Notification options tab.
  28. In the Fallback block section, next to Notification type, select Protocol Only or Message to select the type of notification that is sent when a fallback option of block is triggered.
  29. Next to Notify mail sender, select Yes or No.
  30. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  31. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message).
  32. In the Fallback non block section, next to Notify mail recipient, select Yes or No.
  33. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  34. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message).
  35. Select the Notification options cont tab.
  36. In the Virus detection section, next to Notification type, select Protocol Only or Message to select the type of notification that is sent when a fallback option of block is triggered.
  37. Next to Notify mail sender, select Yes or No.
  38. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  39. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message). The limit is 255 characters.
  40. Click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.
  41. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up that appears window to discover why.

    You create a separate antivirus profile for each antivirus protocol. These profiles may basically contain the same configuration information, but when you are creating your UTM policy for antivirus, the UTM policy configuration page provides separate antivirus profile selection fields for each supported protocol.

Example: Configuring Express Antivirus UTM Policies

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to create an express antivirus UTM policy to attach to your feature profile.

Requirements

Before you begin, create an antivirus feature profile. See Example: Configuring Express Antivirus Feature Profiles.

Overview

In this example, you configure an express antivirus UTM policy called utmp3 and attach the policy to the antivirus profile called junexprof1.

Configuration

Procedure

Step-by-Step Procedure

To configure an express antivirus UTM policy:

  1. Create a UTM policy for HTTP antivirus scanning and attach the policy to the profile.

  2. If you are done configuring the device, commit the configuration.

Verification

Verify the Security UTM Configuration

Purpose

To verify the UTM configuration is working properly.

Action

From the operational mode, enter the show security utm command.

Configuring Express Antivirus UTM Policies (J-Web Procedure)

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, after you have created an antivirus feature profile, configure a UTM policy to which you can attach the feature profile:

  1. Select Configure>Security>Policy>UTM Policies.
  2. From the UTM policy configuration window, click Add to configure a UTM policy. The policy configuration pop-up window appears.
  3. Select the Main tab.
  4. In the Policy name box, enter a unique name.
  5. In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.
  6. In the Session per client over limit list, select the action that the device should take when the session per client limit for this UTM policy is exceeded. Options include Log and permit and Block.
  7. Select the Anti-Virus profiles tab.
  8. Select the appropriate profile you have configured from the list for the corresponding protocol listed.
  9. Click OK.
  10. If the policy is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Example: Attaching Express Antivirus UTM Policies to Security Policies

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to attach an express antivirus UTM policy to a security policy.

Requirements

Before you begin, create a UTM policy. See Example: Configuring Express Antivirus UTM Policies.

Overview

In this example, you attach the express antivirus UTM policy called utmp3 to the security policy called p3.

Configuration

Procedure

Step-by-Step Procedure

To attach an express antivirus UTM policy to a security policy:

  1. Enable and configure the security policy.

  2. Attach the UTM policy to the security policy.

  3. If you are done configuring the device, commit the configuration.

Verification

Verify the Security Policy Configuration

Purpose

To verify the security policy configuration is working properly.

Action

From the operational mode, enter the show security policies detail command.

Attaching Express Antivirus UTM Policies to Security Policies (J-Web Procedure)

The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, after you create a UTM policy, create a security policy and attach the UTM policy to the security policy:

  1. Select Configure>Security>Policy>FW Policies.
  2. From the Security Policy window, click Add to configure a security policy with UTM. The policy configuration pop-up window appears.
  3. In the Policy tab, enter a name in the Policy Name box.
  4. Next to Default Policy Action, select one of the following: Deny-All or Permit-All.
  5. Next to From Zone, select a zone from the list.
  6. Next to To Zone, select a zone from the list.
  7. Under Zone Direction, click Add a Policy.
  8. Choose a Source Address.
  9. Choose a Destination Address.
  10. Choose an application by selecting junos-protocol (for all protocols that support antivirus scanning) in the Application Sets box and clicking the —> button to move it to the Matched box.
  11. Next to Policy Action, select Permit.

    When you select Permit for Policy Action, several additional fields become available in the Applications Services tab, including UTM Policy.

  12. Select the Application Services tab.
  13. Next to UTM Policy, select the appropriate policy from the list. This action attaches your UTM policy to the security policy.
  14. Click OK.
  15. Click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.
  16. If the policy is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

    You must activate your new policy to apply it.

Release History Table
Release
Description
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.