Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create an Anti-malware Profile

You are here: Security Services > Advanced Threat Prevention > Anti-malware.

Configure the anti-malware profiles for SRX Series Firewall. The profile lets you define which files to send to the cloud for inspection and the action to be taken when malware is detected.

To create an anti-malware profile:

  1. Click + on the upper-right corner of the Anti-malware page.
    The Create Anti-malware Profile page opens.
  2. Complete the configuration according to the guidelines provided in Table 1.
  3. Click OK to save the changes. To discard your changes, click Cancel.

    Once you create the anti-malware profile, you can associate it with the security policies.

Table 1: Fields on the Create Anti-malware Profile Page

Field

Action

Name

Enter a name for the anti-malware profile.

The name must be a unique string of alphanumeric, special characters and 64 characters maximum. Special characters such as & ( ) ] ? " # are not allowed.

Verdict threshold

Select a threshold value from the list.

The threshold value determines when a file is considered malware. If the cloud service returns a file verdict equal to or higher than the configured threshold, then that file is considered as malware.

Protocols

HTTP

Enable this option to inspect advanced anti-malware (AAMW) files downloaded by hosts through HTTP protocol. The AAMW files are then submitted to Juniper ATP Cloud for malware screening.

Once you enable this option, configure the following:

  • Action (known verdict)—Select Permit or Block action from the list based on the detected malware.

  • Action (unknown verdict)—Select Permit or Block action from the list based on the detected malware having a verdict of “unknown.”

  • Notification—Select one of the following options to permit or block actions based on detected malware:

    • Redirect URL—Enter HTTP URL redirection for a customized client notification based on detected malware with the block action.

    • Redirect message—Enter the message for a customized client notification based on detected malware with the block action.

      Range: 1 through 1023

    • File name—Click Browse to upload a customized file to which users will be directed. The files must be in .php, .html, or .py format and the files will be stored in /jail/var/tmp.

  • Inspection profile—Select a Juniper Advanced Threat Prevention (ATP) Cloud profile name form the list. The ATP Cloud profile defines the types of files to scan.

    To view the default and other inspection profiles on the SRX Series Firewall, your device must be enrolled with Juniper ATP Cloud.

  • Logs—Enable this option to add the event to the log file.

IMAP

Enable this option to inspect and manage email attachments sent over IMAP email management.

Once you enable this option, configure the following:

  • Inspection profile—Select a Juniper Advanced Threat Prevention (ATP) Cloud profile name form the list. The ATP Cloud profile defines the types of files to scan.

    To view the default and other inspection profiles on the SRX Series Firewall, your device must be enrolled with Juniper ATP Cloud.

  • Logs—Enable this option to add the event to the log file.

SMB

Enable this option to inspect files downloaded by hosts through Server Message Block (SMB) protocol. SMB protocol enables applications or users to access files and other resources on a remote server.

Once you enable this option, configure the following:

  • Action—Select Permit or Block action from the list based on the downloaded files.

  • Inspection profile—Select a Juniper Advanced Threat Prevention (ATP) Cloud profile name form the list. The ATP Cloud profile defines the types of files to scan.

    To view the default and other inspection profiles on the SRX Series Firewall, your device must be enrolled with Juniper ATP Cloud.

  • Logs—Enable this option to add the event to the log file.

SMTP

Enable this option to inspect and manage email attachments sent over SMTP email management.

Once you enable this option, configure the following:

  • Inspection profile—Select a Juniper Advanced Threat Prevention (ATP) Cloud profile name form the list. The ATP Cloud profile defines the types of files to scan.

    To view the default and other inspection profiles on the SRX Series Firewall, your device must be enrolled with Juniper ATP Cloud.

  • Logs—Enable this option to add the event to the log file.

Fallback Actions

Global fallback action

Select None, Permit, or Block action from the list to permit or block the file regardless of its threat level.

Logs

Enable this option to add the event to the log file.

Specific Fallback Configurations

  • Invalid content size:

    • Select None, Permit, or Block action from the list if the content size exceeds the supported range (32 MB).

    • Logs—Enable this option to add the event to the log file.

  • Out of resource action

    • Select None, Permit, or Block action from the list if the service is out of resources.

    • Logs—Enable this option to add the event to the log file.

  • Service not ready action

    • Select None, Permit, or Block action from the list if the service is not yet ready.

    • Logs—Enable this option to add the event to the log file.

  • Submission timeout action

    • Select None, Permit, or Block action from the list if the submission is timed out.

    • Logs—Enable this option to add the event to the log file.

  • Unknown file action:

    • Select None, Permit, or Block action from the list if the file type is unknown.

    • Logs—Enable this option to add the event to the log file.

  • Verdict timeout action

    • Select None, Permit, or Block action from the list if the verdict response is timed out.

    • Logs—Enable this option to add the event to the log file.

Additional Logging

Files under verdict threshold

Enable this option to create a system log entry when the file verdict number is less than the threshold.

Blocklist

Enable this option to create a system log entry when an attempt is made to access that are listed in the blocklist.

Allowlist

Enable this option to create a system log entry when an attempt is made to access that are listed in the allowlist.