Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Full Antivirus File Scanning

The full file-based antivirus module is the software subsystem on the gateway device that scans specific Application Layer traffic to protect users from virus attacks and to prevent viruses from spreading. The antivirus module allows you to configure scanning options on a global level, on a UTM profile level, or on a firewall policy level. For more information, see the following topics:

Understanding the Full Antivirus Scan Engine

The Kaspersky Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the full file-based antivirus module is the software subsystem on the gateway device that scans specific Application Layer traffic to protect users from virus attacks and to prevent viruses from spreading. The antivirus software subsystem consists of a virus signature database, an application proxy, the scan manager, and the scan engine.

Kaspersky Lab provides the scan engine and it works in the following manner:

  1. A client establishes a TCP connection with a server and then starts a transaction.

  2. If the application protocol in question is marked for antivirus scanning, the traffic is forwarded to an application proxy for parsing.

  3. When the scan request is sent, the scan engine scans the data by querying a virus pattern database.

  4. The scan manager monitors antivirus scanning sessions, checking the properties of the data content against the existing antivirus settings.

  5. After scanning has occurred, the result is then handled by the scan manager.

The Kaspersky Lab scan engine supports regular file scanning and script file scanning. With regular file scanning, the input object is a regular file. The engine matches the input content with all possible signatures. With script file scanning, the input object is a script file. It can be JavaScript, VBScript, mIRC script, bat scripts (DOS bat files), and other text scripts. The engine matches the input content only with signatures for script files. Script scanning is only applicable for HTML content over the HTTP protocol. There are two criteria for this scan type. First, the content-type field of this HTML document must be text or HTML. Second, there is no content encoding in the HTTP header. If those two criteria are met, an HTML parser is used to parse the HTML document for scripts.

Understanding Full Antivirus Scan Mode Support

The Kaspersky Lab scan engine is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the Kaspersky Lab scan engine supports two modes of scanning:

  • scan-all—This option tells the scan engine to scan all the data it receives.

  • scan-by-extension—This option bases all scanning decisions on the file extensions found in the traffic in question.

When scanning content, you can use a file extension list to define a set of file extensions that are used in file extension scan mode (scan-by-extension). The antivirus module can then scan files with extensions on the scan-extension list. If an extension is not defined in an extension list, the file with that extension is not scanned in scan-by-extension mode. If there is no extension present, the file in question is scanned.

When using a file extension list to scan content, please note the following requirements:

  • File extension entries are case-insensitive.

  • The maximum length of the file extension list name is 29 bytes.

  • The maximum length of each file extension entry is 15 bytes.

  • The maximum entry number in a file extension list is 255.

Configuring Full Antivirus File Extension Scanning (CLI Procedure)

The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure file-extension scanning, use the following CLI configuration statements:

Example: Configuring Full Antivirus File Extension Scanning

The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure full antivirus file extension scanning.

Requirements

Before you begin, decide the mode of scanning you require. See Understanding Full Antivirus Scan Mode Support.

Overview

In this example, you perform the following tasks:

  1. Create a file called extlist1 for the kasprof1 profile, and add extensions such as .zip, .js, and .vbs to the extlist1.

  2. Configure the scan mode setting. You can choose to scan all files or to scan only the files that have the extensions that you specify. This example uses the scan by-extension option to configure the device to use the extlist1 file.

Configuration

Procedure

Step-by-Step Procedure

To configure full antivirus file extension scanning:

  1. Create a extension for the list and add extensions to the filename extension list.

  2. Configure scan extension settings.

  3. Configure the scan mode setting.

  4. If you are done configuring the device, commit the configuration.

Verification

Verify the Security UTM Configuration

Purpose

To verify the security UTM configuration is working properly.

Action

From the operational mode, enter the show security utm command.

Understanding Full Antivirus Scan Level Settings

The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the antivirus module allows you to configure scanning options on a global level, on a UTM profile level, or on a firewall policy level. Each configuration level has the following implications:

  • Global antivirus settings—Settings are applied to all antivirus sessions. Global settings are general overall configurations for the antivirus module or settings that are not specific for profiles.

  • Profile-based settings—Antivirus settings are different for different protocols within the same policy.

  • Policy-based settings—Antivirus settings are different for different policies. Policy-based antivirus settings are applied to all scan-specified traffic defined in a firewall policy.

The majority of antivirus settings are configured within an antivirus profile, bound to specified protocols, and used by designated policies. These UTM policies are then applied to the traffic according to firewall policies. If a firewall policy with an antivirus setting matches the properties of a traffic flow, the antivirus setting is applied to the traffic session. Therefore, you can apply different antivirus settings for different protocols and for different traffic sessions.

Example: Configuring Full Antivirus Scan Settings at Different Levels

The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure full antivirus scan settings at different levels.

Requirements

Before you begin, decide the type of scanning option you require. See Understanding Full Antivirus Scan Level Settings.

Overview

In this example, you define antivirus scanning options on any of the following levels:

  • Global level

  • UTM profile level using the kasprof1 UTM profile

  • Firewall policy level using the p1 UTM policy

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure antivirus scanning options at different levels:

  1. Configure scanning options at the global level.

  2. Configure scanning options at the UTM profile level.

  3. Configure scanning options at the UTM policy level.

Results

From configuration mode, confirm your configuration by entering the show security utm command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Scan Settings at Different Levels

Purpose

Verify the scan settings at different levels.

Action

From operational mode, enter the show configuration security utm command.

Understanding Full Antivirus Intelligent Prescreening

The Intelligent prescreening is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, by default, intelligent prescreening is enabled to improve antivirus scanning performance. The antivirus module generally begins to scan data after the gateway device has received all the packets of a file. Intelligent prescreening tells the antivirus module to begin scanning a file much earlier. In this case, the scan engine uses the first packet or the first several packets to determine if a file could possibly contain malicious code. The scan engine does a quick check on these first packets and if it finds that it is unlikely that the file is infected, it then decides that it is safe to bypass the normal scanning procedure.

Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for MIME encoded traffic, mail protocols (SMTP, POP3, IMAP) and HTTP POST.

Example: Configuring Full Antivirus Intelligent Prescreening

The Intelligent prescreening is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure full antivirus intelligent prescreening. By default, intelligent prescreening is enabled to improve antivirus scanning performance.

Requirements

Before you begin, understand how intelligent prescreening enables the improvement of antivirus scanning performance. See Understanding Full Antivirus Intelligent Prescreening.

Overview

In this example, you perform the following tasks:

  • Enable intelligent prescreening for the kasprof1 profile.

  • Disable intelligent prescreening for the kasprof1 profile.

Configuration

Procedure

Step-by-Step Procedure

To enable or disable full antivirus intelligent prescreening:

  1. Enable intelligent prescreening for the kasprof1 profile.

  2. Disable intelligent prescreening for the kasprof1 profile.

    Note:

    Intelligent prescreening is intended only for use with non-encoded traffic. It is not applicable to mail protocols (SMTP, POP3, IMAP) or HTTP POST.

  3. If you are done configuring the device, commit the configuration.

Verification

Verify the Security UTM Configuration

Purpose

To verify the security UTM configuration is working properly.

Action

From the operational mode, enter the show security utm command.

Understanding Full Antivirus Content Size Limits

The Content Size Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, due to resource constraints, there is a default, device-dependent limit on maximum content size for the database. The content size value is configurable. There is also a lower and upper limit for maximum content size. (This range is device dependent and is not configurable.)

The content size check occurs before the scan request is sent. The exact timing of this is protocol dependent. If the protocol header contains an accurate content length field, the content size check takes place when the content length field is extracted during header parsing. The content size usually refers to file size. If there is no content length field, the size is checked while the antivirus module is receiving packets. The content size, in this case, refers to accumulated TCP payload size. This setting can be used in all protocols.

Configuring Full Antivirus Content Size Limits (CLI Procedure)

The Content Size Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure content size limits, use the following CLI configuration statements:

Understanding Full Antivirus Decompression Layer Limits

The Decompression Layer Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the decompression layer limit specifies how many layers of nested compressed files and files with internal extractable objects, such as archive files (tar), MS Word and PowerPoint files, the internal antivirus scanner can decompress before it executes the virus scan. For example, if a message contains a compressed .zip file that contains another compressed .zip file, there are two compression layers. Decompressing both files requires a decompress layer setting of 2.

It is worth noting that during the transfer of data, some protocols use content encoding. The antivirus scan engine must decode this layer, which is considered a decompression level, before it scans for viruses.

There are three kinds of compressed data:

  • compressed file (zip, rar, gzip)

  • encoded data (MIME)

  • packaged data (OLE, .CAP, .MSI, .TAR, .EML)

A decompression layer could be a layer of a zipped file or an embedded object in packaged data. The antivirus engine scans each layer before unpacking the next layer, until it either reaches the user-configured decompress limit, reaches the device decompress layer limit, finds a virus or other malware, or decompresses the data completely, whichever comes first.

As the virus signature database becomes larger and the scan algorithms become more sophisticated, the scan engine has the ability to look deeper into the data for embedded malware. As a result, it can uncover more layers of compressed data. The Juniper Networks device's level of security is limited by decompress limit, which is based on the memory allocated to the security service. If a virus is not found within the decompress limit, the user has an option to either pass or drop the data. This setting can be used in all protocols.

Configuring Full Antivirus Decompression Layer Limits (CLI Procedure)

The Decompression Layer Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure decompression layer limits, use the following CLI configuration statements:

Understanding Full Antivirus Scanning Timeouts

The Scanning timeout parameter is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the scanning timeout value includes the time frame from when the scan request is generated to when the scan result is returned by the scan engine. The time range can be 1 to 1800 seconds. By default, it is 180 seconds.

Note:

This timeout parameter is used by all supported protocols. Each protocol can have a different timeout value.

Configuring Full Antivirus Scanning Timeouts (CLI Procedure)

The Scanning timeout parameter is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure scanning timeouts, use the following CLI configuration statements:

Understanding Full Antivirus Scan Session Throttling

The Scan session Throttling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, in an attempt to consume all available resources and hinder the ability of the scan engine to scan other traffic, a malicious user might generate a large amount of traffic all at once. To prevent such activity from succeeding, a session throttle is imposed for antivirus resources, thereby restricting the amount of traffic a single source can consume at one time. The limit is an integer with 100 as the default setting. This integer refers to the maximum allowed sessions from a single source. You may change this default limit, but understand that if this limit is set high, that is comparable to no limit.

Over-limit is a fallback setting for the connection-per-client limit. The default behavior of over-limit is to block sessions. This is a per-policy setting. You can specify different settings for different UTM policies.

Configuring Full Antivirus Scan Session Throttling (CLI Procedure)

The Scan session Throttling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure scan session throttling, use the following CLI configuration statements:

Release History Table
Release
Description
15.1X49-D10
The Kaspersky Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky Lab scan engine is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Intelligent prescreening is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Intelligent prescreening is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Content Size Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Content Size Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Decompression Layer Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Decompression Layer Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Scanning timeout parameter is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Scanning timeout parameter is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Scan session Throttling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Scan session Throttling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.