ON THIS PAGE
Full Antivirus Application Protocol Scanning
Full Antivirus uses a scanning engine and virus signature databases to protect against virus-infected files, worms, trojans, spyware, and other malware over POP3, HTTP, SMTP, IMAP, and FTP protocols. For more information, see the following topics:
Understanding Full Antivirus Application Protocol Scanning
The Full Antivirus Application Protocol Scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, you can turn antivirus scanning on and off on a per protocol basis. If scanning for a protocol is disabled in an antivirus profile, there is no application intelligence for this protocol. Therefore, in most cases, traffic using this protocol is not scanned. But if the protocol in question is based on another protocol for which scanning is enabled in an antivirus profile, then the traffic is scanned as that enabled protocol.
The internal antivirus scan engine supports scanning for specific Application Layer transactions allowing you to select the content (HTTP, FTP, SMTP, POP3, or IMAP traffic) to scan. For each content type that you are scanning, you have different configuration options.
Profile-based settings, including enable/disable, scan-mode, and scan result handling settings, may not be applicable to all supported protocols. The following table lists profile-based settings and their protocol support.
Profile Setting |
Protocol Support |
|---|---|
Enable or disable scanning on per protocol basis |
All protocols support this feature |
Understanding Full Antivirus Scan Mode Support, including file extension scanning |
All protocols support this feature |
All protocols support this feature |
|
All protocols support this feature |
|
All protocols support this feature |
|
HTTP only |
|
All protocols support this feature |
|
Protocol specific messages |
All protocols support this feature |
SMTP, POP3, and IMAP only |
|
All protocols support this feature |
See Also
Understanding HTTP Scanning
The HTTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, if antivirus scanning is enabled for Hypertext Transfer Protocol (HTTP) traffic in a content security profile, TCP traffic to defined HTTP service ports (generally port 80) is monitored. For HTTP traffic, the security device scans both HTTP responses and requests (get, post, and put commands).
For HTTP antivirus scanning, both HTTP 1.0 and 1.1 are supported. If the protocol version is HTTP 0.x , the antivirus scanner attempts to scan the traffic. Unknown protocols are bypassed. For example, some application protocols use HTTP as the transport but do not comply with HTTP 1.0 or 1.1. These are considered unknown protocols and are not scanned.
This is a general description of how HTTP traffic is intercepted, scanned, and acted upon by the antivirus scanner:
An HTTP client sends an HTTP request to a webserver or a webserver responds to an HTTP request.
The security device intercepts the request and passes the data to the antivirus scanner, which scans it for viruses.
After completing the scan, the device follows one of two courses:
If there is no virus, the device forwards the request to the webserver.
If there is a virus, the device drops the request and sends an HTTP message reporting the infection to the client.
With script-only scanning, the input object is a script file. It can be JavaScript, VBScript, mIRC script, bat scripts (DOS bat files) and other text scripts. The engine matches the input content only with signatures for script files. Script scanning is applicable only for HTML content over the HTTP protocol. There are two criteria for this scan-type. First, the content-type field of this HTML document must be text or HTML. Second, there is no content encoding in the HTTP header. If those two criteria are met, an HTML parser is used to parse the HTML document.
See Also
Enabling HTTP Scanning (CLI Procedure)
The HTTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for HTTP traffic, enter the following CLI configuration statement:
user@host# set security utm utm-policy policy-name anti-virus http
Understanding FTP Antivirus Scanning
The FTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 onwards. For previous releases, if antivirus scanning is enabled for File Transfer Protocol (FTP) traffic in a content security profile, the security device monitors the control channel and, when it detects one of the FTP commands for transferring data, it scans the data sent over the data channel.
This is a general description of how FTP traffic is intercepted, scanned, and acted upon by the antivirus scanner:
A local FTP client opens an FTP control channel to an FTP server and requests the transfer of some data.
The FTP client and server negotiate a data channel over which the server sends the requested data. The security device intercepts the data and passes it to the antivirus scan engine, which scans it for viruses.
After completing the scan, the device follows one of two courses:
If there is no virus, the device forwards the data to the client.
If there is a virus, the device replaces the data with a drop message in the data channel and sends a message reporting the infection in the control channel.
Enabling FTP Antivirus Scanning (CLI Procedure)
The FTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 onwards. For previous releases, to enable antivirus scanning for File Transfer Protocol (FTP) traffic, enter the following CLI configuration statement:
user@host# security utm utm-policy policy-name anti-virus ftp
In order to scan FTP traffic, the FTP ALG must be enabled.
See Also
Understanding SMTP Antivirus Scanning
Starting from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, only Sophos Antivirus supports the SMTP antivirus scanning. If SMTP (Simple Mail Transfer Protocol) antivirus scanning is enabled in a content security profile, the security device redirects traffic from local SMTP clients to the antivirus scanner before sending it to the local mail server.
Chunking is an alternative to the data command. It provides a mechanism to transmit a large message in small chunks. It is not supported. Messages using chunking are bypassed and are not scanned.
This is a general description of how SMTP traffic is intercepted, scanned, and acted upon by the antivirus scanner:
An SMTP client sends an e-mail message to a local mail server or a remote mail server forwards an e-mail message via SMTP to the local mail server.
The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.
After completing the scan, the device follows one of two courses:
If there is no virus, the device forwards the message to the local server.
If there is a virus, the device sends a replacement message to the client.
This topic includes the following sections:
- Understanding SMTP Antivirus Mail Message Replacement
- Understanding SMTP Antivirus Sender Notification
- Understanding SMTP Antivirus Subject Tagging
Understanding SMTP Antivirus Mail Message Replacement
If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:
nContent-Type: text/plain Your mail <src_ip> : <src_port> — <dst_port>: <dst_port> contains contaminated file <filename> with virus <virusname>, so it is dropped.
If a scan error is returned and the fail mode is set to drop, the original message is dropped and the entire message body is truncated. The content is replaced by a message that may appear as follows:
nContent-Type: text/plain Your mail <src_ip> : <src_port> — <dst_port>: <dst_port> is dropped for <reason>.
Understanding SMTP Antivirus Sender Notification
If notify-sender-on-virus is set and the message
is dropped due to a detected virus, an e-mail is sent to the mail
sender. The content of the notification may appear as follows:
From: <admin>@<gateway_ip> To: <sender_e-mail> Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason: <src_ip> : <src_port> — <dst_port>: <dst_port> <ENVID> contaminated file <filename> with virus <virusname>. e-mail Header is: <header of scanned e-mail>
If notify-sender-on-error-drop is set and the message
is dropped due to a scan error, an e-mail is sent to the mail sender
of the scanned message. The content of the e-mail may appear as follows:
From: <admin>@<gateway_ip> To: <sender_e-mail> Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason: <src_ip> : <src_port> — <dst_port>: <dst_port> <ENVID> <reason>. e-mail Header is: <header of scanned e-mail>
For information on the ENVID parameter, refer to RFC 3461.
Understanding SMTP Antivirus Subject Tagging
If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the
server. If notify-recipient-on-error-pass is set, the
following string is appended to the end of the subject field:
(No virus check: <reason>)
See Also
Enabling SMTP Antivirus Scanning (CLI Procedure)
The SMTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for SMTP traffic, enter the following CLI configuration statement:
user@host# set security utm utm-policy policy-name anti-virus smtp-profile
Understanding POP3 Antivirus Scanning
The POP3 antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, if Post Office Protocol 3 (POP3) antivirus scanning is enabled in a content security profile, the security device redirects traffic from a local mail server to antivirus scanner before sending it to the local POP3 client.
This is a general description of how POP3 traffic is intercepted, scanned, and acted upon by the antivirus scanner.
The POP3 client downloads an e-mail message from the local mail server.
The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.
After completing the scan, the security device follows one of two courses:
If there is no virus, the device forwards the message to the client.
If there is a virus, the device sends a message reporting the infection to the client.
See Understanding Protocol-Only Virus-Detected Notifications for information on protocol-only notifications for IMAP.
This topic includes the following sections:
- Understanding POP3 Antivirus Mail Message Replacement
- Understanding POP3 Antivirus Sender Notification
- Understanding POP3 Antivirus Subject Tagging
Understanding POP3 Antivirus Mail Message Replacement
If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:
nContent-Type: text/plain Your mail <src_ip> : <src_port> — <dst_port>: <dst_port> contains contaminated file <filename> with virus <virusname>, so it is dropped.
Understanding POP3 Antivirus Sender Notification
If notify-sender-on-virus is set and the message
is dropped due to a detected virus, an e-mail is sent to the mail
sender.
From: <admin>@<gateway_ip> To: <sender_e-mail> Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason: <src_ip> : <src_port> — <dst_port>: <dst_port> contaminated file <filename> with virus <virusname>. e-mail Header is: <header of scanned e-mail>
If notify-sender-on-error-drop is set and the message
is dropped due to a scan error, an e-mail is sent to the mail sender
of the scanned message. The content of the e-mail may appear as follows:
From: <admin>@<gateway_ip> To: <sender_e-mail> Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason: <src_ip> : <src_port> — <dst_port>: <dst_port> <reason>. e-mail Header is: <header of scanned e-mail>
Understanding POP3 Antivirus Subject Tagging
If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the
server. If notify-recipient-on-error-pass is set, the
following string is appended to the end of subject field:
(No virus check: <reason>)
See Also
Enabling POP3 Antivirus Scanning (CLI Procedure)
The POP3 antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for POP3 traffic, enter the following CLI configuration statement:
user@host# set security utm utm-policy policy-name anti-virus pop3-profile
Understanding IMAP Antivirus Scanning
The IMAP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, if IMAP (Internet Message Access Protocol) antivirus scanning is enabled in a content security profile, the security device redirects traffic from a local mail server to the internal antivirus scanner before sending it to the local IMAP client.
This is a general description of how IMAP traffic is intercepted, scanned, and acted upon by the antivirus scanner.
The IMAP client downloads an e-mail message from the local mail server.
The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.
After completing the scan, the security device follows one of two courses:
If there is no virus, the device forwards the message to the client.
If there is a virus, the device sends a message reporting the infection to the client.
See Understanding Protocol-Only Virus-Detected Notifications for information on protocol-only notifications for IMAP.
This topic includes the following sections:
- Understanding IMAP Antivirus Mail Message Replacement
- Understanding IMAP Antivirus Sender Notification
- Understanding IMAP Antivirus Subject Tagging
- Understanding IMAP Antivirus Scanning Limitations
Understanding IMAP Antivirus Mail Message Replacement
If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:
nContent-Type: text/plain Your mail <src_ip> : <src_port> — <dst_port>: <dst_port> contains contaminated file <filename> with virus <virusname>, so it is dropped.
Understanding IMAP Antivirus Sender Notification
If notify-sender-on-virus is set and the message
is dropped due to a detected virus, an e-mail is sent to the mail
sender.
From: <admin>@<gateway_ip> To: <sender_e-mail> Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason: <src_ip> : <src_port> — <dst_port>: <dst_port> contaminated file <filename> with virus <virusname>. e-mail Header is: <header of scanned e-mail>
If notify-sender-on-error-drop is set and the message
is dropped due to a scan error, an e-mail is sent to the mail sender
of the scanned message. The content of the e-mail may appear as follows:
From: <admin>@<gateway_ip> To: <sender_e-mail> Subject: Mail Delivery Failure This message is created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients for the reason: <src_ip> : <src_port> — <dst_port>: <dst_port> <reason>. e-mail Header is: <header of scanned e-mail>
Understanding IMAP Antivirus Subject Tagging
If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the
server. If notify-recipient-on-error-pass is set, the
following string is appended to the end of subject field:
(No virus check: <reason>)
Understanding IMAP Antivirus Scanning Limitations
Mail Fragments — It is possible to chop one e-mail into multiple parts and to send each part through a different response. This is called mail fragmenting and most popular mail clients support it in order to send and receive large e-mails. Scanning of mail fragments is not supported by the antivirus scanner and in such cases, the message body is not scanned.
Partial Content — Some mail clients treat e-mail of different sizes differently. For example, small e-mails (less than 10 KB) are downloaded as a whole. Large e-mails (for example, less than 1 MB) are chopped into 10 KB pieces upon request from the IMAP server. Scanning of any partial content requests is not supported by the antivirus scanner.
IMAP Uploads — Only antivirus scanning of IMAP downloads is supported. IMAP upload traffic is not scanned.
Enabling IMAP Antivirus Scanning (CLI Procedure)
The IMAP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for IMAP traffic, enter the following CLI configuration statement:
user@host# security utm utm-policy policy-name anti-virus imap-profile