Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Full Antivirus Protection

The full file-based antivirus feature provides file-based scanning on specific Application Layer traffic checking for viruses against a virus signature database. It collects the received data packets until it has reconstructed the original application content, such as an e-mail file attachment, and then scans this content. For more information, see the following topics:

Full Antivirus Protection Overview

A virus is executable code that infects or attaches itself to other executable code in order to reproduce itself. Some malicious viruses erase files or lock up systems, while other viruses merely infect files and can overwhelm the target host or network with bogus data. The full file-based antivirus feature provides file-based scanning on specific Application Layer traffic checking for viruses against a virus signature database. It collects the received data packets until it has reconstructed the original application content, such as an e-mail file attachment, and then scans this content.

The full file-based antivirus scanning feature is a separately licensed subscription service. Kaspersky Lab provides the scan engine for full file-based antivirus. When your antivirus license key expires, you can continue to use locally stored antivirus signatures without any updates. But in that case, if the local database is deleted, antivirus scanning is disabled.

The express antivirus feature provides better performance but lower security. Note that if you switch from full file-based antivirus protection to express antivirus protection, you must reboot the device in order for express antivirus to begin working.

The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the Kaspersky scan engine is provided as a downloadable UTM module. To download the Kaspersky scan engine, your SRX Series device must have an active UTM license. When you install the KAV license, the system automatically downloads the Kaspersky module from the Juniper Networks server and runs it.

When you set the antivirus type to KAV, and if the SRX Series device had a preinstalled Kaspersky engine, then the downloaded module replaces the original module on the device. Regardless of the UTM license status, when the KAV license is deleted from the device, the Kaspersky engine and all files associated with KAV are removed from the system immediately.

Use the set security utm feature-profile anti-virus type kaspersky-lab-engine command to set the antivirus type to KAV. If Kaspersky engine is not available on the device, and if the Kaspersky engine cannot be downloaded from the predefined URL, then use the set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update url url command to configure the downloading application URL.

Full Antivirus Configuration Overview

The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, when configuring antivirus protection, you must first create the antivirus custom objects you are using. Those custom objects may include the MIME pattern list, MIME exception list, and the filename extension list. Once you have created your custom objects, you can configure full antivirus protection, including intelligent prescreening, and content size limits.

To configure full file-based antivirus protection:

  1. Configure UTM custom objects for the UTM feature. The following example enables the mime-pattern, filename-extension, url-pattern, and custom-url-category custom-objects:
  2. Configure the main feature parameters using feature profiles. The following example enables options using the anti virus feature profile:
  3. Configure a UTM policy for each protocol and attach this policy to a profile. The following example configure the utmp2 UTM policy for the HTTP protocol:
  4. Attach the UTM policy to a security policy. The following example attaches the utmp2 UTM policy to the p2 security policy:

Example: Configuring Full Antivirus Custom Objects

The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure full antivirus custom objects.

Requirements

Before you begin:

Overview

In this example, you define custom objects that are used to create full antivirus feature profiles. You perform the following tasks to define custom objects:

  1. Configure a filename extension list called extlist1 and add extensions such as .zip, .js, and .vbs to the list.

  2. Create two MIME lists called avmime1 and ex-avmime1 and add patterns to the list.

  3. Configure a URL pattern list called urllist1.

  4. Configure a custom URL category list called custurl1 using the urllist1 URL pattern list.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure full antivirus filtering custom objects:

  1. Configure the filename extension list and add extensions to it.

    Note:

    The Kaspersky scan engine ships with a read-only default extension list that you can use.

  2. Create MIME lists and add MIME patterns to the lists.

  3. Configure a URL pattern list.

    When entering the URL pattern, note the following wildcard character support:

    • The \*\.[]\?* wildcard characters are supported.

    • You must precede all wildcard URLs with http://.

    • You can only use the asterisk * wildcard character if it is at the beginning of the URL and is followed by a period.

    • You can only use the question mark ? wildcard character at the end of the URL.

    • The following wildcard syntax is supported: http://*.example.net, http://www.example.ne?, http://www.example.n??.

    • The following wildcard syntax is not supported: *.example.net , www.example.ne?, http://*example.net, http://*.

    Note:

    Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category lists.

  4. Configure a custom URL category list.

Results

From configuration mode, confirm your configuration by entering the show security utm command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Full Antivirus Custom Objects

Purpose

Verify the full antivirus custom objects.

Action

From operational mode, enter the show configuration security utm command.

Configuring Full Antivirus Custom Objects (J-Web Procedure)

The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure antivirus protection, you must first create your custom objects (MIME Pattern List, Filename Extension List, URL Pattern List, and Custom URL Category List).

Configure a MIME pattern list custom object:

  1. Select Configure>Security>UTM>Custom Objects.
  2. From the MIME Pattern List tab, click the Add button to create MIME pattern lists.
  3. In the Add MIME Pattern pop-up window, next to MIME Pattern Name, enter a unique name.

    Keep in mind that you are creating a MIME allowlist and a MIME exception list (if necessary). Both MIME lists appear in the MIME Allowlist and Exception MIME Allowlist fields when you configure antivirus. Therefore, the MIME list names you create should be as descriptive as possible.

  4. Next to MIME Pattern Value, enter the MIME pattern.
  5. Click Add to add your MIME pattern to the Values list box. Within this box, you can also select an entry and use the Delete button to delete it from the list. Continue to add MIME patterns in this manner.
  6. Optionally, create a new MIME list to act as an exception list. The exception list is generally a subset of the main MIME list.
  7. Click OK to check your configuration and save the selected values as part of the MIME list, then click Commit Options>Commit.
  8. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a filename extension list custom object:

  1. Select Configure>Security>UTM>Custom Objects.

  2. From the Filename Extension List tab, click the Add button to create filename extension lists.

  3. Next to File Extension Name, enter a unique name. This name appears in the Scan Option By Extension list when you configure an antivirus profile.

  4. In the Available Values box, select one or more default values (press Shift to select multiple concurrent items or press Ctrl to select multiple separate items) and click the right arrow button to move the value or values to the Selected Values box.

  5. Click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.

  6. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a URL pattern list custom object:

Note:

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure a custom URL category list.

  1. Select Configure>Security>UTM>Custom Objects.

  2. From the URL Pattern List tab, click the Add button to create URL pattern lists.

  3. Next to URL Pattern Name, enter a unique name. This name appears in the Custom URL Category List Custom Object page for selection.

  4. Next to URL Pattern Value, enter the URL or IP address you want added to the list for bypassing scanning.

    When entering the URL pattern, note the following wildcard character support:

    • The \*\.[]\?* wildcard characters are supported.

    • You must precede all wildcard URLs with http://.

    • You can only use the asterisk * wildcard character if it is at the beginning of the URL and is followed by a period.

    • You can only use the question mark ? wildcard character at the end of the URL.

    • The following wildcard syntax IS supported: http://*.example.net, http://www.example.ne?, http://www.example.n??.

    • The following wildcard syntax is NOT supported: *.example.net , www.example.ne?, http://*example.net, http://*.

  5. Click Add to add your URL pattern to the Values list box. The list can contain up to 8192 items. You can also select an entry and use the Delete button to delete it from the list. Continue to add URLs or IP addresses in this manner.

  6. Click OK to check your configuration and save the selected values as part of the URL pattern list you have created, then click Commit Options>Commit.

  7. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Configure a custom URL category list custom object:

Note:

Because you use URL Pattern Lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure a custom URL category list.

  1. Select Configure>Security>UTM>Custom Objects.

  2. In the URL Category List tab, click Add to create URL category lists.

  3. Next to URL Category Name, enter a unique name. This name appears in the URL Allowlist list when you configure antivirus global options.

  4. In the Available Values box, select a URL Pattern List name from the list for bypassing scanning and click the right arrow button to move it to the Selected Values box.

  5. Click OK to check your configuration and save the selected values as part of the URL list that you have created, then click Commit Options>Commit.

    Click OK to save the selected values as part of the custom URL list you have created.

  6. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Example: Configuring Full Antivirus Feature Profiles

The full antivirus feature profile is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure a full antivirus feature profile.

Requirements

Before you begin:

Overview

In this example, you configure a feature profile called kasprof1 and specify custom objects to be used for filtering content:

  • Select and configure the engine type as Kaspersky Lab Engine.

  • Select 120 as the time interval for updating the pattern database. The default full file-based antivirus pattern-update interval is 60 minutes.

    The command for changing the URL for the pattern database is:

  • Enable an e-mail notification with a custom message as pattern file was updated and a custom subject line as AV pattern file updated.

  • Configure a list of fallback options as block.

  • Configure the notification options for fallback blocking for virus detection. Configure a custom message for the fallback blocking action.

  • Configure a notification for protocol-only virus detection.

  • Configure scan options. For this example, configure the device to perform a TCP payload content size check before the scan request is sent.

  • Configure the decompression layer limit. For this example configure the device to decompress three layers of nested compressed files before it executes the virus scan.

  • Configure content size parameters as 20000.

    For SRX100, SRX110, SRX210, SRX220, and SRX240 devices the content size is 20000. For SRX650 devices the content size is 40,000. Platform support depends on the Junos OS release in your installation.

  • Configure scan extension settings. The default list is junos-default-extension. For this example, you select extlist1, which you created as a custom object.

  • Configure the scan mode setting to configure the device to use a custom extension list. Although you can choose to scan all files, for this example you select only files with the extensions that you specify.

  • Enable intelligent prescreening and set its timeout setting to 1800 seconds and trickling setting (applicable only to HTTP) to 600 seconds. This means that if the device receives a packet within a 600-second period during a file transfer or while performing an antivirus scan, it should not time out.

    Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for mail protocols (SMTP, POP3, IMAP) and HTTP POST.

    The following example disables intelligent prescreening for the kasprof1 profile:

  • Configure the antivirus scanner to use MIME bypass lists and exception lists. You can use your own custom object lists, or you can use the default list that ships with the device called junos-default-bypass-mime. For this example, you use the avmime1 and ex-avmime1 lists.

  • Configure the antivirus module to use URL bypass lists. If you are using a URL allowlist (valid only for HTTP traffic), this is a custom URL category that you have previously configured as a custom object. For this example, you enable the custurl1 bypass list.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure full antivirus feature profiles:

  1. Select and configure the engine type.

  2. Configure the device to notify a specified administrator when patterns are updated.

  3. Create a profile for the Kaspersky Lab engine and configure fallback options as block.

  4. Configure a custom notification for the fallback blocking action and send a notification.

  5. Configure a notification for protocol-only virus detection.

  6. Configure content size parameter.

  7. Configure the decompression layer limit.

  8. Configure intelligent prescreening.

  9. Configure scan extension setting.

  10. Configure the scan mode setting.

  11. Configure the timeout setting.

  12. Configure trickling setting.

  13. Configure the antivirus scanner to use MIME bypass lists and exception lists.

  14. Configure the antivirus module to use URL bypass lists.

Results

From configuration mode, confirm your configuration by entering the show security utm feature-profile anti-virus command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration of Full Antivirus Feature Profile

Purpose

Verify the full antivirus feature profile.

Action

From operational mode, enter the show configuration security utm command.

Configuring Full Antivirus Feature Profiles (J-Web Procedure)

The full antivirus feature profile is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, after you have created your custom object, configure an antivirus feature profile:

  1. Select Configure>Security>UTM>Global options.
  2. In the Anti-Virus tab, next to MIME whitelist, select the custom object you created from the list.
  3. Next to Exception MIME whitelist, select the custom object you created from the list.
  4. Next to URL Whitelist, select the custom object you created from the list.
  5. In the Engine Type section, select the type of engine you are using. For full antivirus protection, you should select Kaspersky Lab.
  6. In the Kaspersky Lab Engine Option section, in the Pattern update URL box, enter the URL for the pattern database.

    The URL is http://update.juniper-updates.net/AV/<device version> and you should not change it.

  7. Next to Pattern update interval, enter the time interval, in seconds, for automatically updating the pattern database in the box. The default interval is 60.
  8. Select whether you want the pattern file to update automatically (Auto update) or not (No Auto update).
  9. Click OK to save the selected values.
  10. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in a pop-up window that appears to discover why.
  11. Under Security, in the left pane, select Anti-Virus.
  12. In the right window, click Add to create a profile for the antivirus Kaspersky Lab Engine. (To edit an existing item, select it and click the Edit button.)
  13. Next to Profile name, enter a unique name for this antivirus profile.
  14. Select the Profile Type. In this case, select Kaspersky.
  15. Next to Trickling timeout, enter timeout parameters.
    Note:

    Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.

  16. Next to Intelligent prescreening, select Yes or No.

    Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for mail protocols (SMTP, POP3, IMAP, and HTTP POST).

  17. In the Scan Options section, next to Intelligent prescreening, select Yes if you are using it.

    Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for mail protocols (SMTP, POP3, IMAP, and HTTP POST).

  18. Next to Content Size Limit, enter content size parameters. The content size check occurs before the scan request is sent. The content size refers to accumulated TCP payload size.
  19. Next to Scan engine timeout, enter scanning timeout parameters.

  20. Next to Decompress Layer Limit, enter decompression layer limit parameters.
  21. In the Scan mode section, select either Scan all files, if you are scanning all content, or Scan files with specified extension, if you are scanning by file extensions.

    If you select Scan files with specified extension, you must select a filename extension list custom object from the Scan engine filename extention list that appears.

  22. Select the Fallback settings tab.
  23. Next to Default (fallback option), select Log and permit or Block from the list. In most cases, Block is the default fallback option.
  24. Next to Corrupt File (fallback option), select Log and permit or Block from the list.
  25. Next to Password File (fallback option), select Log and permit or Block from the list.
  26. Next to Decompress Layer (fallback option), select Log and permit or Block from the list.
  27. Next to Content Size (fallback option), select Log and permit or Block from the list.
  28. Next to Engine Not Ready (fallback option), select Log and permit or Block from the list.
  29. Next to Timeout (fallback option), select Log and permit or Block from the list.
  30. Next to Out Of Resources (fallback option), select Log and permit or Block from the list.
  31. Next to Too Many Request (fallback option), select Log and permit or Block from the list.
  32. Select the Notification options tab.
  33. In the Fallback block section, next to Notification type, select Protocol Only or Message to select the type of notification that is sent when a fallback option of block is triggered.
  34. Next to Notify mail sender, select Yes or No.
  35. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  36. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message).
  37. In the Fallback non block section, next to Notify mail recipient, select Yes or No.
  38. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  39. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message).
  40. Select the Notification options cont tab.
  41. In the Virus detection section, next to Notification type, select Protocol Only or Message to select the type of notification that is sent when a fallback option of block is triggered.
  42. Next to Notify mail sender, select Yes or No.
  43. If you selected Yes, next to Custom Message, enter text for the message body of your custom message for this notification (if you are using a custom message).
  44. Next to Custom message subject, enter text to appear in the subject line of your custom message for this notification (if you are using a custom message). The limit is 255 characters.
  45. Click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.
  46. If the configuration item is saved successfully, you receive a confirmation and you must click OK again. If it is not saved successfully, you can click Details in the pop-up window that appears to discover why.

    You create a separate antivirus profile for each antivirus protocol. These profiles may basically contain the same configuration information, but when you are creating your UTM policy for an antivirus profile, the UTM policy configuration page provides separate antivirus profile selection fields for each supported protocol.

Example: Configuring Full Antivirus UTM Policies

The full antivirus feature profile is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to create a UTM policy to attach to a feature profile.

Requirements

Before you begin, create an antivirus feature profile. See Example: Configuring Full Antivirus Feature Profiles.

Overview

In this example, you configure a full antivirus UTM policy called utmp2 and attach the policy to an HTTP profile called kasprofile1 HTTP.

Configuration

Procedure

Step-by-Step Procedure

To configure a full antivirus UTM policy:

  1. Create a UTM policy for HTTP antivirus scanning and attach the policy to the profile.

  2. If you are done configuring the device, commit the configuration.

Verification

Verify the Security UTM Configuration

Purpose

To verify the security UTM configuration is working properly.

Action

From the operational mode, enter the show security utm command.

Configuring Full Antivirus UTM Policies (J-Web Procedure)

The full antivirus UTM policies is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, after you have created an antivirus feature profile, configure a UTM policy to which you can attach the feature profile:

  1. Select Configure>Security>Policy>UTM Policies.
  2. From the UTM policy configuration window, click Add to configure a UTM policy. This action takes you to the policy configuration pop-up window.
  3. Select the Main tab in pop-up window.
  4. In the Policy name box, enter a unique name for the UTM policy.
  5. In the Session per client limit box, enter a session per client limit from 0 to 20000 for this UTM policy.
  6. In the Session per client over limit list, select the action that the device should take when the session per client limit for this UTM policy is exceeded. Options include Log and permit and Block.
  7. Select the Anti-Virus profiles tab in the pop-up window.
  8. Select the appropriate profile you have configured from the list for the corresponding protocol listed.
  9. Click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.
  10. If the policy is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

Example: Attaching Full Antivirus UTM Policies to Security Policies

The full antivirus UTM policies is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to attach a UTM policy to a security policy.

Requirements

Before you begin, create a UTM policy. See Example: Configuring Full Antivirus UTM Policies.

Overview

In this example, you attach the UTM policy called utmp2 to the security policy called p2.

Configuration

Procedure

Step-by-Step Procedure

To attach a full antivirus UTM policy to a security policy:

  1. Enable and configure the security policy.

  2. Attach the UTM policy to the security policy.

  3. If you are done configuring the device, commit the configuration.

Verification

Verify the Security Policies Configuration

Purpose

To verify the security policies configuration is working properly.

Action

From the operational mode, enter the show security policies command.

Attaching Full Antivirus UTM Policies to Security Policies (J-Web Procedure)

The full antivirus UTM policies is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, after you create a UTM policy, create a security policy and attach the UTM policy to the security policy:

  1. Select Configure>Security>Policy>FW Policies.
  2. From the Security Policy window, click Add to configure a security policy with UTM. This action takes you to the policy configuration pop-up window.
  3. In the Policy tab, enter a name in the Policy Name box.
  4. Next to From Zone, select a zone from the list.
  5. Next to To Zone, select a zone from the list.
  6. Choose a Source Address.
  7. Choose a Destination Address.
  8. Choose an application by selecting junos-protocol (for all protocols that support antivirus scanning) in the Application Sets box and clicking the —> button to move it to the Matched box.
  9. Next to Policy Action, select Permit.

    When you select Permit for Policy Action, several additional fields become available in the Applications Services tab, including UTM Policy.

  10. Select the Application Services tab in the pop-up window.
  11. Next to UTM Policy, select the appropriate policy from the list. This action attaches your UTM policy to the security policy.
  12. Click OK to check your configuration and save it as a candidate configuration, then click Commit Options>Commit.
  13. If the policy is saved successfully, you receive a confirmation and you must click OK again. If the profile is not saved successfully, you can click Details in the pop-up window that appears to discover why.

    You must activate your new policy to apply it.

Release History Table
Release
Description
15.1X49-D10
The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The full antivirus feature profile is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The full antivirus feature profile is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The full antivirus feature profile is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The full antivirus UTM policies is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The full antivirus UTM policies is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The full antivirus UTM policies is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.