Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

On-Device Avira Antivirus

Read this topic to understand about how to use Avira Antivirus for scanning application traffic and preventing viruses from entering your network.

You can also watch the video Avira Antivirus Solution on SRX Series Firewalls to understand about installing and using Avira antivirus on your security device.

Avira Antivirus Overview

Junos OS Content Security integrates with Avira’s Antivirus functionality and provides full file-based scan engine. This antivirus protection secures your device by scanning the application layer traffic and blocks the harmful content such as infected files, trojans, worms, spyware, and other malicious data.

Avira Antivirus scans the network traffic by accessing the virus pattern database and identifies the virus. Avira Antivirus drops the infected file and notifies the user.

Table 1 lists the components and license details for Avira Antivirus.

Table 1: Components and License Details for Avira Antivirus

Components

Detailed Information

Virus pattern database

Avira Antivirus checks the virus signature database to identify and then remove signatures.

The virus pattern database is available at the following locations:

By default, SRX Series Firewalls downloads the updates for pattern database. See Configure Avira Antivirus Scanning Options to schedule the automatic download option.

Avira Antivirus scan engine

Avira Antivirus provides the scan engine that examines a file for known viruses at real-time. You must install and activate Avira Antivirus scan engine on your SRX Series Firewall. See Example: Configure Avira Antivirus for steps to install and activate Avira Antivirus scan engine.

Avira Antivirus scan engine decompresses files before scanning for virus detection. For more information, see decompress-layer-limit.

In the following scenarios, Avira Antivirus scan engine on the SRX Series Firewall does not scan the application traffic:

  • The scan engine is not ready.

  • There are too many scanning requests.

  • The scanned file size is larger than a configured limit.

  • The scanned file has too many nested layers of compression.

  • The memory file system is full.

License details

Avira Antivirus scan engine is a licensed subscription service.

With this license, you can use a full file-based and real-time Avira Antivirus scanning function. The antivirus functionality uses the latest updated virus signature database.

When the license expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, you cannot run antivirus scanning.

For more information about licenses, see Licenses for SRX Series.

Benefits

  • Secures your device and protects your network from viruses, trojans, rootkits, and other types of malicious code.

  • Provides improved scanning performance as the virus signature database and Avira Antivirus scan engine reside locally on the device.

Example: Configure Avira Antivirus

In this example, you’ll learn how to configure Avira antivirus on your security device. This topic includes the details about using default antivirus profile and customized antivirus profile to secure your device from the harmful content such as infected files, trojans, worms, spyware, and other malicious data.

Requirements

Before you begin:

  • Verify that you have a Avira antivirus license. For more information on how to verify licenses on your device, see Understanding Licenses for SRX Series Firewalls.

  • SRX Series Firewall with Junos OS Release 18.4R1 or later.

  • For vSRX Virtual Firewall, the minimum requirement is 4 CPU cores and 4 GB memory.

We’ve tested this example using an SRX1500 device with Junos OS Release 18.4R1.

Overview

Let’s take a look at a typical enterprise network. An end user unknowingly visits a compromised Website and downloads a malicious content. This action results in compromise of the endpoint. The harmful content on the endpoint also becomes a threat to other hosts within the network. It is important to prevent the download of the malicious content.

You can use an SRX Series Firewall with Avira antivirus to protect users from virus attacks and to prevent spreading of viruses in your system, Avira antivirus scans network traffic for viruses, trojans, rootkits, and other types of malicious code and blocks the malicious content immediately when detected.

Figure 1 shows an example of Avira antivirus on SRX Series Firewall usage.

Figure 1: Avira Antivirus on SRX SeriesAvira Antivirus on SRX Series

In this example, you’ll learn how to configure Avira antivirus on your security device. You have the following options.

Configuration

You can enable the Juniper Networks pre-configured antivirus profile. When you use the default antivirus feature profile option, you don't have to configure additional parameter. In this procedure, you create an Content Security policy with default antivirus profiles for all protocols and apply the Content Security policy in a security policy for the permitted traffic.

Use Default Antivirus Profile to Start Antivirus Scanning

Step-by-Step Procedure

To use default antivirus profile, complete the following steps:

  1. Enable Avira antivirus scan on your security device.

    After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.

  2. Select default antivirus profile for HTTP, FTP, SMTP, POP3, and IMAP protocols.

  3. Apply the Content Security policy to the security policy.

  4. Commit the configuration.

You can also watch the video Avira Antivirus Solution on SRX Series Firewalls to understand about installing and using Avira antivirus on your security device.

Configure Avira Antivirus Scanning Options

Step-by-Step Procedure

In this procedure, you’ll perform optional steps to prepare your security device to use Avira antivirus.

  1. Manually update the virus signature database, specify the URL of the database server. If you do not specify a URL, a default URL is provided, https://update.juniper-updates.net/avira. By default, your security device downloads the pattern updates from https://update.juniper-updates.net/avira. The location of virus pattern database depends on your SRX Series mode. See Table 1 for more details.

    This step downloads the pattern and engine files from the specified URL.

  2. Set an interval for regular download of antivirus pattern update.

    In this step, you are changing the default from every 24 hours to every 48 hours. The default antivirus pattern-update interval is 1440 minutes (every 24 hours).

  3. Send an e-mail notification once pattern update completes.

  4. (Optional) Configure pattern update from an proxy profile.

    Use this option in case your internal network device do not have direct access to the Internet and the device can reach the Internet only through a proxy server.

  5. (Optional) Configure on-box antivirus to heavy mode.

    This step allocates additional resources for improved performance.

    To use the antivirus scan in light mode, use the delete chassis onbox-av-load-flavor heavy command. Reboot the device once you change the modes.

  6. (Optional) Change the operating mode from the default continuous delivery function (CDF) to hold mode. When you change to hold mode, the system withhold all the packets until you get the final result.

    For more details on CDF mode and Inline Tap mode, see forwarding-mode.

Configure Avira Antivirus Scanning with Custom Profile

You must complete the steps as in Table 2 to configure Avira antivirus with custom options on your security device.

Table 2: Steps for Avira Antivirus Scanning Using Custom Profile

Step

Details

Step 1: Define custom objects

In this step, you will define antivirus scanning options:

  • MIME allowlist—Include type of traffic that you want to bypass antivirus scanning

  • MIME exception list—Specify excluding some MIME types from the MIME allowlist

  • Custom URL categories—Define URLs that you want to bypass antivirus scanning.

Alternatively, you can use the default list junos-default-bypass-mime.

Step 2: Create antivirus feature profile

  • Apply MIME list, exception list, and custom URL category created in step 1 to the antivirus feature profile.

  • Configure antivirus scanning settings such as data file update interval, notification options for administrators, fallback options, and file size limits.

Step 3: Create Content Security policy

Associate the antivirus profile created in Step 2 for FTP, HTTP, POP3, SMTP, and IMAP traffic. Content Security policies control which protocol traffic is sent to the antivirus scanning engine.

Step 4: Apply Content Security policy to a security policy

Specify Content Security policy as application services in the security policy. The Content Security antivirus settings are applied for the traffic that matches the security policy rules.

See scan-options and trickling to understand about the scanning configuration parameters available for antivirus feature.

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Note:

The [edit security utm feature-profile] hierarchy level is deprecated in Junos OS Release 18.2R1. For more information, see Content Security Overview.

Step-by-Step Procedure

To configure the on-device antivirus feature profile using the CLI:

  1. Enable Avira antivirus scan on your security device if you have not already enabled..

    After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.

  2. Create custom objects.

  3. Create the antivirus profile.

  4. Configure a list of fallback options.

    Fallback options specify the actions to take when traffic cannot be scanned.

  5. Configure notification options for fallback blocking actions.

  6. Configure the antivirus module to use MIME bypass lists and exception lists.

  7. Configure the antivirus module to use URL bypass lists. URL allowlists are valid only for HTTP traffic. In this example you use the lists that you set up earlier.

  8. Configure a Content Security policy attach the antivirus feature profile Avira-AV-Profile.

  9. Configure a security policy and apply the Content Security policy UTM-AV-Policy as application services for the permitted traffic.

Results

From configuration mode, confirm your configuration by entering the show security utm, show services, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To verify the configuration is working properly, use the following steps:

Obtaining Information About the Current Antivirus Status

Purpose
Action

From operational mode, enter the show security utm anti-virus status command to view the antivirus status.

Sample Output
command-name
Meaning
  • Antivirus key expire date—The license key expiration date.

  • Update server—URL for the data file update server.

    • Interval—The time period, in minutes, when the device will update the data file from the update server.

    • Pattern update status—When the data file will be updated next, displayed in minutes.

    • Last result—Result of the last update.

  • Antivirus signature version—Version of the current data file.

  • Scan engine type—The antivirus engine type that is currently running.

  • Scan engine information—Version of the scan engine.

Validate Avira Antivirus on Your Security Device

Purpose

Validate whether Avira Antivirus Solution is working on SRX Series Firewalls

Action

Use the safe way of testing the antivirus capability using Eicar.org website. Your security device displays an error message as shown when you try to download an unsafe file.

Figure 2: Validating Antivirus SolutionValidating Antivirus Solution
Meaning

The message indicates that your security device has blocked a malicious content.