Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Full Antivirus Scan Results and Fallback Options

Fallback options tell the system how to handle the errors returned by either the scan engine or the scan manager. Different antivirus scan results are handled in different manners. For example, if a scan result is clean, the traffic is forwarded to the receiver. If the scan result is infected, the traffic is dropped. If the scan results in an error, the result handling depends on the cause of the failure and the configuration (fallback settings). For more information, see the following topics:

Understanding Full Antivirus Scan Result Handling

The Full Antivirus Scan Result Handling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, different antivirus scan results are handled in different manners. For example, if a scan result is clean, the traffic is forwarded to the receiver. If the scan result is infected, the traffic is dropped. If the scan results in an error, the result handling depends on the cause of the failure and the configuration (fallback settings).

The following is a list of actions based on scan results:

  • Scan Result = Pass

    The scan result handling action is to pass the message. In this case, no virus is detected and no error code is returned. Or, an error code is returned, but the fallback option for this error code is set to log-and-permit.

  • Scan Result = Block

    The scan result handling action is to block the message. In this case, either a virus is detected or an error code is returned and the fallback option for this error code is BLOCK.

Monitoring Antivirus Scan Engine Status

Purpose

The Monitoring Antivirus Scan Engine Status is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, using the CLI, you can view the following scan engine status items:

Antivirus license key status

  • View license expiration dates.

Scan engine status and settings

  • View last action result.

  • View default file extension list.

Antivirus pattern update server settings

  • View update URL (HTTP or HTTPS-based).

  • View update interval.

Antivirus pattern database status

  • View auto update status.

  • View last result of database loading.

  • If the download completes, view database version timestamp virus record number.

  • If the download fails, view failure reason.

Action

In the CLI, enter the user@host> show security utm anti-virus status command.

Example status result:

Monitoring Antivirus Session Status

Purpose

The Monitoring Antivirus Session Status is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, using the CLI, you can view the following session status items:

Antivirus session status displays a snapshot of current antivirus sessions. It includes

  • Maximum supported antivirus session numbers.

  • Total allocated antivirus session numbers.

  • Total freed antivirus session numbers.

  • Current active antivirus session numbers.

Action

In the CLI, enter the user@host> show security utm session status command.

Monitoring Antivirus Scan Results

Purpose

The Monitoring Antivirus Scan Results are not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, view statistics for antivirus requests, scan results, and fallback counters.

Scan requests provide

  • The total number of scan request forwarded to the engine.

  • The number of scan request being pre-windowed.

  • The number of scan requests using scan-all mode.

  • The number of scan requests using scan-by-extension mode.

Scan code counters provide

  • Number of clean files.

  • Number of infected files.

  • Number of password protected files.

  • Number of decompress layers.

  • Number of corrupt files.

  • When the engine is out of resources.

  • When there is an internal error.

Fallback applied status provides either a log-and-permit or block result when the following has occurred

  • Scan engine not ready.

  • Maximum content size reached.

  • Too many requests.

  • Password protected file found.

  • Decompress layer too large.

  • Corrupt file found.

  • Timeout occurred.

  • Out of resources.

  • Other.

Action

To view antivirus scan results using the CLI editor, enter the user@host> show security utm anti-virus statistics status command.

To view antivirus scan results using J-Web:

  1. Select Monitor>Security>UTM>Anti-Virus.

    The following information becomes viewable in the right pane.

    Antivirus license key status

    • View license expiration dates.

    Antivirus pattern update server settings

    • View update URL (HTTP or HTTPS-based).

    • View update interval.

    Antivirus pattern database status

    • View auto update status.

    • View last result of database loading.

    • If the download completes, view database version timestamp virus record number.

    • If the download fails, view failure reason.

    Antivirus statistics provide

    • The number of scan request being pre-windowed.

    • The total number of scan request forwarded to the engine.

    • The number of scan requests using scan-all mode.

    • The number of scan requests using scan-by-extension mode.

    Scan code counters provide

    • Number of clean files.

    • Number of infected files.

    • Number of password protected files.

    • Number of decompress layers.

    • Number of corrupt files.

    • When the engine is out of resources.

    • When there is an internal error.

    Fallback applied status provides either a log-and-permit or block result when the following has occurred

    • Scan engine not ready.

    • Password protected file found.

    • Decompress layer too large.

    • Corrupt file found.

    • Out of resources.

    • Timeout occurred.

    • Maximum content size reached.

    • Too many requests.

    • Other.

  2. You can click the Clear Anti-Virus Statistics button to clear all current viewable statistics and begin collecting new statistics.

Understanding Antivirus Scanning Fallback Options

Fallback options notify the system how to handle the errors returned by either the scan engine or the scan manager. The following is a list of possible errors:

  • Scan engine is not ready (engine-not-ready)

    The scan engine is initializing itself, for example, loading the signature database. During this phase, the scan engine is not ready to scan a file. A file could either pass or be blocked according to this setting.

  • Corrupt file (corrupt-file)

    Corrupt file is the error returned by the scan engine when engine detects a corrupted file.

  • Decompression layer (decompress-layer)

    Decompress layer error is the error returned by the scan engine when the scanned file has too many compression layers.

  • Password protected file (password-file)

    Password protected file is the error returned by the scan engine when the scanned file is protected by a password.

  • Max content size (content-size)

    If the content size exceeds a set limit, the content is passed or blocked depending on the max-content-size fallback option.

  • Too many requests (too-many-requests)

    If the total number of messages received concurrently exceeds the device limits, the content is passed or blocked depending on the too-many-request fallback option. (The allowed request limit is not configurable.)

  • Timeout

    Scanning a complex file could consume resources and time. If the time taken for the scan exceeds the timeout setting in the antivirus profile, the processing is terminated and the content is passed or blocked without completing the virus checking. The decision is made based on the timeout fallback option.

  • Out of resources (out-of-resources)

    Virus scanning requires a great deal of memory and CPU resources. Due to resource constraints, memory allocation requests can be denied by the system. This failure could be returned by either scan engine (as a scan-code) or scan manager. When out-of-resources occurs, scanning is terminated.

  • Default

    All the errors other than those in the above list fall into this category. This could include either unhandled system exceptions (internal errors) or other unknown errors.

The default fallback action for all the error types is log-and-permit.

The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.

Example: Configuring Antivirus Scanning Fallback Options

The Antivirus Scanning Fallback options are not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, this example shows how to configure antivirus scanning fallback options.

Requirements

Before you begin, understand the possible error types and the default fallback actions for those error types. See Understanding Antivirus Scanning Fallback Options.

Overview

In this example, you configure a feature profile called kasprof, and set the fallback scanning options for default, content-size, corrupt-file, decompress-layer, engine-not-ready, out-of-resources, password-file, timeout, too-many-requests, as block.

Note:

The command for changing the URL for the pattern database is:

The default URL is http://update.juniper-updates.net/AV/<device-version>. You should not change this URL unless you are experiencing problems with it and have called for support.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure scanning fallback options:

  1. Select and configure the engine type.

  2. Create a profile for the Kaspersky Lab engine and configure a list of fallback options as block or log-and-permit.

Results

From configuration mode, confirm your configuration by entering the show security utm feature-profile anti-virus command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Antivirus Scanning Fallback Options

Purpose

Verify the antivirus scanning fallback options.

Action

From operational mode, enter the show configuration security utm command.

Release History Table
Release
Description
15.1X49-D10
The Full Antivirus Scan Result Handling is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Monitoring Antivirus Scan Engine Status is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Monitoring Antivirus Session Status is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Monitoring Antivirus Scan Results are not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Antivirus Scanning Fallback options are not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.