Knowledge Center Search


 

[SRX] Example of Antivirus full file based scanning configuration via custom objects

  [KB17283] Show KB Properties

  [KB17283] Hide KB Properties

Categories:
Knowledge Base ID: KB17283
Last Updated: 16 Oct 2012
Version: 6.0

Summary:

This article provides information on how to configure Antivirus full file based scanning via custom objects. 

Problem or Goal:

Cause:

Solution:

This section contains the following:

The Full File-based Antivirus Protection setup is very similar to the Antivirus Express scanning, with the exception of using a different scan-engine.  The Full file-based Antivirus Protection uses the Kasperksy Scan Engine instead of the Juniper Scan Engine (which is used in Antivirus Express).

In addition to this KB article, there is also an Application Note on Configuring Antivirus on Branch SRX Series Services Gateways and J Series Services Routers, and Technical Documentation (see link below).


Check for License

Before you begin the setup, confirm that the UTM Antivirus license is installed.
Run the following command, and look for 'av_key_kaspersky_engine'.
> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 0 1 0 2010-12-31 00:00:00 UTC

If no license is installed, install the license by entering the following command: 
> request system license add terminal

Then copy the license out of the text file given for the license, and PASTE it here.


Setup for Automatic Updates

  1. Once the license is installed, make sure your device is configured to receive Antivirus pattern updates at the interval specified.  Also you can define the email notification sent to the admin, when the pattern update is complete.

  2. a. Configure the pattern-updates for the kaspersky scan engine for automatic updates
    set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update url http://update.juniper-updates.net/AV/SRX240 (See note)
    set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval 120


    Note:  "SRX240” in the URL is the platform name. This part of the URL is different and platform specific for each platform. (Other than the platform name, you should not change this URL unless you are experiencing problems with it and have called for support.)

    or you can perform the pattern update manually by entering the following command:
    > request security utm anti-virus kaspersky-lab-engine pattern-update

    b. Define the pattern-update email
    set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify admin-email "admin@juniper.net"
    set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify custom-message "Pattern UPDATE Done"
    set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update email-notify custom-message-subject "AV UPDATE COMPLETE"


JWeb Configuration

Use the following procedures to activate the express antivirus feature.

To configure the full file antivirus feature profile:

  1. Select Configure>Security>UTM>Global options.
  2. Click the Anti-Virus tab.
  3. In the Engine Type list, select Kaspersky Lab.
  4. Click OK. A status prompt appears. Click OK. If the custom object is not successfully saved, click Details for more information.


To configure a UTM policy for express antivirus:

  1. Select Configure>Security>Policy>UTM Policies.
  2. Click Add to configure a UTM policy. The Add Policy window appears.
  3. In the Main tab, next to Policy Name, enter a unique name for the UTM policy you are creating (for example, custom-utm-policy).
  4. Click the Anti-Virus profiles tab.
  5. Next to HTTP profile, select junos-av-defaults.
  6. Click OK. A status prompt appears. Click OK. If the UTM policy is not successfully saved, click Details for more information.


To attach the UTM policy to a security policy:

  1. Select Configure>Security>Policy>FW Policies.
  2. Select the trust-to-untrust (default-permit) security policy, and click Edit.
  3. In the Edit Policy window, click Application Services.
  4. In the UTM Policy list, select the UTM policy to attach to the security policy (in this example, custom-utm-policy).
  5. Click OK. A status prompt appears. Click OK. If the UTM policy is not successfully saved, click Details for more information.

Make sure that your policy is activated. By default, after you create a policy, it is activated.



CLI Configuration

To activate full file antivirus using the default antivirus profile:

  1. Define what scan engine you are going to use (in this case, Juniper Scan engine).
user@host# set security utm feature-profile anti-virus type kaspersky-lab-engine
  1. Define the UTM policy for the HTTP protocol to be scanned with the express-virus-scan profile.
user@host# set security utm utm-policy custom-utm-policy anti-virus http-profile JUNOS-av-defaults
  1. Apply the UTM policy to a security policy from the Trust zone to the Untrust zone.
user@host# set security policies from-zone untrust to-zone trust policy default-permit then permit application-services utm-policy custom-utm-policy

 

  1. Define what scan engine you are going to use. In this case we are going set the scan mode to the Kaspersky Scan Engine:  
  2. set security utm feature-profile anti-virus type kaspersky-lab-engine

  3. Define the custom-objects. Before defining these custom-objects you will need to decide what type of traffic you are wanting to scan. Depending on the type of traffic, on the protocol that passes, and the traffic that you are wanting to scan, you will have different options for scanning. You can find a list of what features are available for what protocols at the following link:
  4. http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/jd0e66650.html
    Once you know what protocols you want to scan, setup your anti-virus custom objects. Some of the custom objects you can setup are URL lists, MIME pattern lists, MIME pattern exception lists, and file extensions. In this example we will setup a file-extensions custom-object.

    set security utm custom-objects filename-extension file-ext-list value .zip
    set security utm custom-objects filename-extension file-ext-list value .tar
    set security utm custom-objects filename-extension file-ext-list value .vbs

  5. Configure how to handle the notification of a detected virus or an error that occurred while scanning the traffic for viruses.  In this example, we are setting up a custom email message to be sent to the clients as well as defining the fallback notifcations about which errors occurred during the scanning process. We will also be defining the action to take when certain fallback errors occur.

  6. a. For the virus detected - we are sending a message only which will appear to the client as the protocol was successfull but there was a virus found.
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options virus-detection type message
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options virus-detection notify-mail-sender
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options virus-detection custom-message
    "Virus Found"
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options virus-detection custom-message-subject
    VIRUS


    b. For the fallback error - we are sending a protocol-only which will appear to the client as an error with the actual protocol
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options fallback-block type protocol-only
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options fallback-block notify-mail-sender
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options fallback-block custom-message
    "Error Occured"
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile notification-options fallback-block custom-message-subject
    "ERROR WHILE SCANNING
    "

    c. Define the default actions for the different fallback errors, either to block and log-and-pass. Here we will be setting all of the errors to block the traffic being scanned and it will send the error configured in the notification for the fallback errors.
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options default block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options corrupt-file block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options password-file block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options decompress-layer block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options content-size block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options engine-not-ready block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options timeout block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options out-of-resources block
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile fallback-options too-many-requests block


  7. Define our Scan-Options. In these scan options we are going to define the file-extension list we are going to be using, also setting the scan-mode to by-extension, as well as performing the intelegent prescreening and setting the timeout value for the scans:
  8. set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile scan-options intelligent-prescreening
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile scan-options scan-mode by-extension
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile scan-options scan-extension file-ext-list
    set security utm feature-profile anti-virus kaspersky-lab-engine profile virus-profile scan-options timeout 1600


  9. Define the UTM policy and here we decide what anti-virus profile to attach to each protocol anti-virus scan. So in this example we are setting up our email protocols with the virus-profile scaning options. This allows you to setup individual profiles for each protocol scanning:
  10. set security utm utm-policy anti-virus-pol anti-virus smtp-profile virus-profile
    set security utm utm-policy anti-virus-pol anti-virus pop3-profile virus-profile
    set security utm utm-policy anti-virus-pol anti-virus imap-profile virus-profile


  11. Last, apply the UTM policy to a Security policy as an application-service. In this example we are doing a policy from Untrust to Trust.
  12. set security policies from-zone untrust to-zone trust policy anti-virus match source-address any
    set security policies from-zone untrust to-zone trust policy anti-virus match destination-address any
    set security policies from-zone untrust to-zone trust policy anti-virus match application any
    set security policies from-zone untrust to-zone trust policy anti-virus then permit
    application-services utm-policy anti-virus-pol


Technical Documentation Reference

JUNOS Security Configuration Guide
  • PDF  - See Chapter 23, Full File-based Antivirus Protection (page 639).
  • HTML
Application Note


Verification

  * Make sure to check the update status and signature version.

> show security utm anti-virus status
UTM anti-virus status:

Anti-virus key expire date: 2010-12-31 00:00:00
Update server: http://update.juniper-updates.net/AV/SRX240
Interval: 120 minutes
Pattern update status: next update in 54 minutes
Last result: already have latest database
Anti-virus signature version: 09/03/2009 07:01 GMT, virus records: 467973
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action result: No error(0x00000000)

 
 
This command shows the statistics for traffic being scanned. If traffic is hitting the policy with the Anti Virus configured on it, then the corosponding counters will increment.
> show security utm anti-virus statistics
UTM Anti Virus statistics:

Intelligent-prescreening passed: 0
MIME-whitelist passed: 0
URL-whitelist passed: 0
Forwarded to scan engine: 0

Scan Mode:
scan-all: 0
Scan-extension: 0

Scan Code:
clear: 0
Infected: 0
Password files 0
Decompress layers: 0
Corrupt files: 0
Out of resources: 0
Internal errors: 0

Fall back: log-and-permit block
Engine not ready: 0 0
Password file: 0 0
Decompress layer: 0 0
Corrupt files: 0 0
Out of resources: 0 0
Timeout: 0 0
Maximum content size: 0 0
Too many requests: 0 0
Others: 0 0


Troubleshooting

The following traceoptions are used for troubleshooting:
root# set security traceoptions flag all
root# set security utm traceoptions flag all
root# set security utm application-proxy traceoptions flag all
root# set security utm feature-profile anti-virus traceoptions flag all

Traceoptions can be found in the following logs:
/var/log/utmd-av


Full working configuration example for Antivirus:

version 10.0R3.10;
system {
    host-name Starburst;
    root-authentication {
        encrypted-password "$1$iW071u1Z$VnoweWgzTpM6zJP9NYfwq0"; ## SECRET-DATA
    }
    login {
        message "/**** Please reload /var/tmp/default.conf when you are done ****/ ";
        user lab {
            uid 2000;
            class superuser;
            authentication {
                encrypted-password "$1$Y7A5lhIu$K6ivfoJj86BYFMph1Mwr.1"; ## SECRET-DATA
            }
        }
    }
    services {
        ftp;
        ssh;
        telnet;
        web-management {
            traceoptions {
                flag dynamic-vpn;
                flag webauth;
            }
            http {
                interface ge-0/0/0.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.10.66.94/24;
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 66.129.243.0/24 {
            next-hop 10.10.66.1;
            no-readvertise;
        }
    }
}
security {
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/15.0;
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            any-service;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy allow-out {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy anti-virus {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy anti-virus-pol;
                        }
                    }
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy allow-through {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    utm {
        custom-objects {
            filename-extension {
                file-ext-list {
                    value [ .zip .tar .vbs ];
                }
            }
        }
        feature-profile {
            anti-virus {
                type kaspersky-lab-engine;
                kaspersky-lab-engine {
                    pattern-update {
                        email-notify {
                            admin-email "admin@juniper.net";
                            custom-message "Pattern UPDATE Done";
                            custom-message-subject "AV UPDATE COMPLETE";
                        }
                        url http://update.juniper-updates.net/AV/SRX240;
                        interval 120;
                    }
                    profile virus-profile {
                        fallback-options {
                            default block;
                            corrupt-file block;
                            password-file block;
                            decompress-layer block;
                            content-size block;
                            engine-not-ready block;
                            timeout block;
                            out-of-resources block;
                            too-many-requests block;
                        }
                        scan-options {
                            intelligent-prescreening;
                            scan-mode by-extension;
                            scan-extension file-ext-list;
                            timeout 1600;
                        }
                        notification-options {
                            virus-detection {
                                type message;
                                notify-mail-sender;
                                custom-message "Virus Found";
                                custom-message-subject VIRUS;
                            }
                            fallback-block {
                                type protocol-only;
                                notify-mail-sender;
                                custom-message "Error Occured";
                                custom-message-subject "ERROR WHILE SCANNING";
                            }
                        }
                    }
                }
            }
        }
        utm-policy anti-virus-pol {
            anti-virus {
                smtp-profile virus-profile;
                pop3-profile virus-profile;
                imap-profile virus-profile;
            }
        }
    }
}

Purpose:
Configuration
Implementation

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.