ON THIS PAGE
Configuring Full Antivirus File Extension Scanning (CLI Procedure)
Example: Configuring Full Antivirus Scan Settings at Different Levels
Example: Configuring Full Antivirus Intelligent Prescreening
Configuring Full Antivirus Content Size Limits (CLI Procedure)
Configuring Full Antivirus Decompression Layer Limits (CLI Procedure)
Configuring Full Antivirus Scanning Timeouts (CLI Procedure)
Configuring Full Antivirus Scan Session Throttling (CLI Procedure)
Full Antivirus File Scanning
The full file-based antivirus module is the software subsystem on the gateway device that scans specific Application Layer traffic to protect users from virus attacks and to prevent viruses from spreading. The antivirus module allows you to configure scanning options on a global level, on a UTM profile level, or on a firewall policy level. For more information, see the following topics:
Understanding the Full Antivirus Scan Engine
The Kaspersky Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the full file-based antivirus module is the software subsystem on the gateway device that scans specific Application Layer traffic to protect users from virus attacks and to prevent viruses from spreading. The antivirus software subsystem consists of a virus signature database, an application proxy, the scan manager, and the scan engine.
Kaspersky Lab provides the scan engine and it works in the following manner:
A client establishes a TCP connection with a server and then starts a transaction.
If the application protocol in question is marked for antivirus scanning, the traffic is forwarded to an application proxy for parsing.
When the scan request is sent, the scan engine scans the data by querying a virus pattern database.
The scan manager monitors antivirus scanning sessions, checking the properties of the data content against the existing antivirus settings.
After scanning has occurred, the result is then handled by the scan manager.
The Kaspersky Lab scan engine supports regular file scanning and script file scanning. With regular file scanning, the input object is a regular file. The engine matches the input content with all possible signatures. With script file scanning, the input object is a script file. It can be JavaScript, VBScript, mIRC script, bat scripts (DOS bat files), and other text scripts. The engine matches the input content only with signatures for script files. Script scanning is only applicable for HTML content over the HTTP protocol. There are two criteria for this scan type. First, the content-type field of this HTML document must be text or HTML. Second, there is no content encoding in the HTTP header. If those two criteria are met, an HTML parser is used to parse the HTML document for scripts.
See Also
Understanding Full Antivirus Scan Mode Support
The Kaspersky Lab scan engine is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the Kaspersky Lab scan engine supports two modes of scanning:
scan-all—This option tells the scan engine to scan all the data it receives.
scan-by-extension—This option bases all scanning decisions on the file extensions found in the traffic in question.
When scanning content, you can use a file extension list to define a set of file extensions that are used in file extension scan mode (scan-by-extension). The antivirus module can then scan files with extensions on the scan-extension list. If an extension is not defined in an extension list, the file with that extension is not scanned in scan-by-extension mode. If there is no extension present, the file in question is scanned.
When using a file extension list to scan content, please note the following requirements:
File extension entries are case-insensitive.
The maximum length of the file extension list name is 29 bytes.
The maximum length of each file extension entry is 15 bytes.
The maximum entry number in a file extension list is 255.
See Also
Configuring Full Antivirus File Extension Scanning (CLI Procedure)
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure file-extension scanning, use the following CLI configuration statements:
security utm { custom-objects { filename-extension { ; set of list name extension-list-name; #mandatory value windows-extension-string; } } }
security utm feature-profile anti-virus kaspersky-lab-engine profile name { scan-options { scan-extension ext-list } }
Example: Configuring Full Antivirus File Extension Scanning
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure full antivirus file extension scanning.
Requirements
Before you begin, decide the mode of scanning you require. See Understanding Full Antivirus Scan Mode Support.
Overview
In this example, you perform the following tasks:
Create a file called extlist1 for the kasprof1 profile, and add extensions such as .zip, .js, and .vbs to the extlist1.
Configure the scan mode setting. You can choose to scan all files or to scan only the files that have the extensions that you specify. This example uses the scan by-extension option to configure the device to use the extlist1 file.
Configuration
Procedure
Step-by-Step Procedure
To configure full antivirus file extension scanning:
Create a extension for the list and add extensions to the filename extension list.
[edit] user@host# set security utm custom-objects filename-extension extlist1 value [zip js vbs]
Configure scan extension settings.
[edit] user@host# set security utm feature-profile anti-virus kaspersky-lab-engine profile kasprof1 scan-options scan-extension extlist1
Configure the scan mode setting.
[edit] user@host# set security utm feature-profile anti-virus kaspersky-lab-engine profile kasprof1 scan-options scan-mode by-extension
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Understanding Full Antivirus Scan Level Settings
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the antivirus module allows you to configure scanning options on a global level, on a UTM profile level, or on a firewall policy level. Each configuration level has the following implications:
Global antivirus settings—Settings are applied to all antivirus sessions. Global settings are general overall configurations for the antivirus module or settings that are not specific for profiles.
Profile-based settings—Antivirus settings are different for different protocols within the same policy.
Policy-based settings—Antivirus settings are different for different policies. Policy-based antivirus settings are applied to all scan-specified traffic defined in a firewall policy.
The majority of antivirus settings are configured within an antivirus profile, bound to specified protocols, and used by designated policies. These UTM policies are then applied to the traffic according to firewall policies. If a firewall policy with an antivirus setting matches the properties of a traffic flow, the antivirus setting is applied to the traffic session. Therefore, you can apply different antivirus settings for different protocols and for different traffic sessions.
See Also
Example: Configuring Full Antivirus Scan Settings at Different Levels
The Kaspersky Lab scan is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure full antivirus scan settings at different levels.
Requirements
Before you begin, decide the type of scanning option you require. See Understanding Full Antivirus Scan Level Settings.
Overview
In this example, you define antivirus scanning options on any of the following levels:
Global level
UTM profile level using the kasprof1 UTM profile
Firewall policy level using the p1 UTM policy
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval 20 set security utm feature-profile anti-virus kaspersky-lab-engine profile kasprof1 fallback-options default block set utm-policy p1 anti-virus http-profile av-profile
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure antivirus scanning options at different levels:
Configure scanning options at the global level.
[edit security utm] user@host# set feature-profile anti-virus kaspersky-lab-engine pattern-update interval 20
Configure scanning options at the UTM profile level.
[edit security utm] user@host# set feature-profile anti-virus kaspersky-lab-engine profile kasprof1 fallback-options default block
Configure scanning options at the UTM policy level.
[edit security utm] user@host# set utm-policy p1 anti-virus http-profile av-profile
Results
From configuration mode, confirm your configuration
by entering the show security utm
command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
For brevity, this show
command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit] user@host# show security utm ... utm-policy p1 { anti-virus { http-profile av-profile ftp { upload-profile av-profile download-profile av-profile } } } ...
If you are done configuring the device, enter commit
from configuration mode.
Understanding Full Antivirus Intelligent Prescreening
The Intelligent prescreening is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, by default, intelligent prescreening is enabled to improve antivirus scanning performance. The antivirus module generally begins to scan data after the gateway device has received all the packets of a file. Intelligent prescreening tells the antivirus module to begin scanning a file much earlier. In this case, the scan engine uses the first packet or the first several packets to determine if a file could possibly contain malicious code. The scan engine does a quick check on these first packets and if it finds that it is unlikely that the file is infected, it then decides that it is safe to bypass the normal scanning procedure.
Intelligent prescreening is only intended for use with non-encoded traffic. It is not applicable for MIME encoded traffic, mail protocols (SMTP, POP3, IMAP) and HTTP POST.
Example: Configuring Full Antivirus Intelligent Prescreening
The Intelligent prescreening is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure full antivirus intelligent prescreening. By default, intelligent prescreening is enabled to improve antivirus scanning performance.
Requirements
Before you begin, understand how intelligent prescreening enables the improvement of antivirus scanning performance. See Understanding Full Antivirus Intelligent Prescreening.
Overview
In this example, you perform the following tasks:
Enable intelligent prescreening for the kasprof1 profile.
Disable intelligent prescreening for the kasprof1 profile.
Configuration
Procedure
Step-by-Step Procedure
To enable or disable full antivirus intelligent prescreening:
Enable intelligent prescreening for the kasprof1 profile.
[edit] user@host# set security utm feature-profile anti-virus kaspersky-lab-engine profile kasprof1 scan-options intelligent-prescreening
Disable intelligent prescreening for the kasprof1 profile.
[edit] user@host# set security utm feature-profile anti-virus kaspersky-lab-engine profile kasprof1 scan-options no-intelligent-prescreening
Note:Intelligent prescreening is intended only for use with non-encoded traffic. It is not applicable to mail protocols (SMTP, POP3, IMAP) or HTTP POST.
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Understanding Full Antivirus Content Size Limits
The Content Size Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, due to resource constraints, there is a default, device-dependent limit on maximum content size for the database. The content size value is configurable. There is also a lower and upper limit for maximum content size. (This range is device dependent and is not configurable.)
The content size check occurs before the scan request is sent. The exact timing of this is protocol dependent. If the protocol header contains an accurate content length field, the content size check takes place when the content length field is extracted during header parsing. The content size usually refers to file size. If there is no content length field, the size is checked while the antivirus module is receiving packets. The content size, in this case, refers to accumulated TCP payload size. This setting can be used in all protocols.
Configuring Full Antivirus Content Size Limits (CLI Procedure)
The Content Size Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure content size limits, use the following CLI configuration statements:
security utm feature-profile anti-virus kaspersky-lab-engine profile name { scan-options { content-size-limit KB; } }
Understanding Full Antivirus Decompression Layer Limits
The Decompression Layer Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the decompression layer limit specifies how many layers of nested compressed files and files with internal extractable objects, such as archive files (tar), MS Word and PowerPoint files, the internal antivirus scanner can decompress before it executes the virus scan. For example, if a message contains a compressed .zip file that contains another compressed .zip file, there are two compression layers. Decompressing both files requires a decompress layer setting of 2.
It is worth noting that during the transfer of data, some protocols use content encoding. The antivirus scan engine must decode this layer, which is considered a decompression level, before it scans for viruses.
There are three kinds of compressed data:
compressed file (zip, rar, gzip)
encoded data (MIME)
packaged data (OLE, .CAP, .MSI, .TAR, .EML)
A decompression layer could be a layer of a zipped file or an embedded object in packaged data. The antivirus engine scans each layer before unpacking the next layer, until it either reaches the user-configured decompress limit, reaches the device decompress layer limit, finds a virus or other malware, or decompresses the data completely, whichever comes first.
As the virus signature database becomes larger and the scan algorithms become more sophisticated, the scan engine has the ability to look deeper into the data for embedded malware. As a result, it can uncover more layers of compressed data. The Juniper Networks device's level of security is limited by decompress limit, which is based on the memory allocated to the security service. If a virus is not found within the decompress limit, the user has an option to either pass or drop the data. This setting can be used in all protocols.
Configuring Full Antivirus Decompression Layer Limits (CLI Procedure)
The Decompression Layer Limit is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure decompression layer limits, use the following CLI configuration statements:
security utm feature-profile anti-virus kaspersky-lab-engine profile name { scan-options { decompress-layer-limit number } }
Understanding Full Antivirus Scanning Timeouts
The Scanning timeout parameter is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, the scanning timeout value includes the time frame from when the scan request is generated to when the scan result is returned by the scan engine. The time range can be 1 to 1800 seconds. By default, it is 180 seconds.
This timeout parameter is used by all supported protocols. Each protocol can have a different timeout value.
Configuring Full Antivirus Scanning Timeouts (CLI Procedure)
The Scanning timeout parameter is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure scanning timeouts, use the following CLI configuration statements:
security utm feature-profile anti-virus kaspersky-lab-engine profile name { scan-options { timeout-value seconds { } } }
Understanding Full Antivirus Scan Session Throttling
The Scan session Throttling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, in an attempt to consume all available resources and hinder the ability of the scan engine to scan other traffic, a malicious user might generate a large amount of traffic all at once. To prevent such activity from succeeding, a session throttle is imposed for antivirus resources, thereby restricting the amount of traffic a single source can consume at one time. The limit is an integer with 100 as the default setting. This integer refers to the maximum allowed sessions from a single source. You may change this default limit, but understand that if this limit is set high, that is comparable to no limit.
Over-limit is a fallback setting for the connection-per-client limit. The default behavior of over-limit is to block sessions. This is a per-policy setting. You can specify different settings for different UTM policies.
Configuring Full Antivirus Scan Session Throttling (CLI Procedure)
The Scan session Throttling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to configure scan session throttling, use the following CLI configuration statements:
security utm utm-policy name traffic-options { sessions-per-client { limit number; over-limit { log-and-permit | block} } }