Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Understanding AV (Anti Virus) limitations with ScreenOS 6.x (including Extended Database support)

0

0

Article ID: KB12296 KB Last Updated: 07 Jun 2013Version: 8.0
Summary:
This article provides information about AV (Anti Virus) limitations with ScreenOS 6.x (including Extended Database support).
Symptoms:
Juniper Networks develops and sells advanced firewall network security devices, which also incorporates universal Threat Management features, such as Anti-Virus, Anti-Spam, Deep Inspection, and Web Filtering. This article is meant to help device administrators to properly deploy and take advantage of the Anti-Virus features of these devices and understand the limitations in ScreenOS 6.0, 6.1, or later versions.

The structure of this article will be in the form of a FAQ, which addresses the following areas:

  • Kaspersky AV

  • Extended Database

  • Pattern type extended

  • AV database size
Cause:

Solution:
1.  Question:  When I configure the Scan-Manager pattern type to ‘Extended’ Database, it automatically switches the pattern type to ‘Standard’ (also shown in ‘get av scan’). Am I at risk?
Answer:  The Extended Database is no longer supported in ScreenOS 6.x. The Extended Database has grown to a size greater than 30 Mb and includes all known AV virus signatures to date. Most of these are old viruses that are no longer in the wild. This means that they are very hard to come by because they are no longer very effective at malicious activities. This is mostly due to the fact that virtually all AV scanners will catch and eliminate them. While there is still a chance to contract such a virus, it is highly unlikely. Additionally, customers who take a thorough and layered approach to their Anti-Virus strategy (explained throughout this document) will augment the gateway device with server and desktop AV.

Note: You may be allowed to set the pattern-type to Extended in the CLI, but it is recommended you set it to Standard. Extended is not supported, so the Standard database will be automatically used.

2.  Question
Will the Juniper Firewall with AV capability be able to scan all files?

AnswerNo, the Juniper Firewall with AV assumes the role of a gateway Anti-Virus device. In effort to find a balance between security and the necessary performance that is expected of a gateway AV device, limitations have been put into place. Some of these limitations are specific in the following chart:

Category

SSG 5/20 &
NS- 5GT            

SSG 140           

SSG 320/350 &
SSG 520/550

Decompress Layer (***) Limit - specifies the number of layers of nested compressed files, encoded data or packaged data the internal AV scanner can decompress

4
6

1 to 8

Maximum Content Size - specifies the maximum size of content for a single message that the internal AV scanner scans for virus patterns

20-10000 KB

20-16000 KB

20-24000 KB

Total number of messages scanned concurrently.

256

512

1024


Starting with ScreenOS 6.1.0, for SSG5/20 devices, the maximum content size value was increased from 10  to 30 MB. This requires extra memory to be allocted for AV processing, at the time of bootup.

Correspondingly the memory utilization might be seem high on the firmware. This is expected and not a bug. If the above is not acceptable and you want to run AV on the gateway device, it would be recommended to upgrade your gateway device from SSG5/20 to a bigger capacity device. For more information, refer to KB12337 - SSG-5 and SSG-20 has ~ 80% Memory Utilization after an upgrade to ScreenOS 6.1.0.

(***) Decompress Layer:
Data entering a Juniper device could be compressed, in which case the AV scan engine has to decompress the data. There are three kinds of compressed data:
  • compressed file (zip, rar, gzip, etc)
  • encoded data (MIME, ..)
  • packaged data (OLE, .CAP, .MSI, .TAR, .EML)
A Decompression Layer could be a layer of a zipped file or an embedded object in packaged data, etc. The AV engine scans each layer before unpacking, i.e. moving to, the next layer, until it (a) reaches the user-configured decompress limit, (b) reaches the device decompress layer limit, (c) finds a virus or other malware, or (d) decompresses the data completely, whichever comes first.

As the virus signature database becomes larger and the scan algorithms more sophisticated, the scan engine has the ability to look deeper into the data for embedded malware. As a result, it can uncover more layers of compressed data.

The Juniper device's level of security is limited by decompress limit, which is based on the memory allocated to the security service. If a virus is not found within the decompress limit, the user has an option to either pass or drop the data.

3.  Question:  What happens if one of the limits is reached, and how can I control that behavior?
Answer: By default, the device will drop the connection and any related files if the limitations are reached. However, sometimes this is too restrictive and leads to important files being dropped at the gateway AV. As such, Juniper Firewall devices with AV allow the administrator to determine if they want to Permit or Drop such connections/files should one of the limits be reached. In ScreenOS 6.0 and later this functionality has been enhanced to give the administrator more granular control.  By default, these settings will be set to Drop and most settings should not change from the default. However, there are cases were Permit would be a better option. These options are configurable under Security > Antivirus > Scan Manager:

av_traffic_options screenshot


  • Exceeds Decompression Layer:  [Default Drop]  What should the firewall do if a file exceeds the firewalls file layer limit? If you expect to regularly receive files that have many layers (encrypted, embedded, etc), then it may make sense to se this to Permit. In a properly layered security environment, security would not be compromised since desktop and/or email server AV solutions should scan the file beyond the initial layers.
  • Password File:  [Default Permit]  What should the firewall do with password protected files that it cannot scan?
  • Corrupt File:  [Default Permit]  What should the firewall do with a file that is corrupt?
  • Out of Resource:  [Default Drop]  What should the firewall do with files that arrive when the firewall is out of resources? When AV scan results in an out of resource error condition, the file is dropped or passed based on the max-content-size setting, but the out-of-resource counter is incremented.
  • Engine not Ready:  [Default Drop]  What should the firewall do when the AV scan engine is not ready and cannot scan files?
  • Timeout:  [Default Drop]  What should the firewall do if the AV scan engine times out while attempting to scan a file?
  • Exceeds Content Size Limit:  [Default Drop, 10000]  What should the AV engine do with files that exceed the maximum content size? Files that exceed maximum size will be either dropped, or passed, depending on this selection.  The default max content size is 10000 KB, and it can modified to be anywhere from 20 – 10000 KB.  The smaller the KB size, the more memory that may become available.
  • Too Many Requests:  [Default Drop]  What should the AV engine do with requests that arrive and are beyond the maximum number of simultaneous AV scan requests? If this occurs often, it may be a sign that a higher capacity device may be needed in the target network.

4.  Question: What is a layer?
Answer:  Data entering a Juniper device could be compressed, in which case the AV scan engine has to decompress the data. There are three kinds of compressed data:
  • compressed file (zip, rar, gzip, etc)
  • encoded data (MIME, ..)
  • packaged data (OLE, .CAP, .MSI, .TAR, .EML)
As the AV signature database becomes larger and the scan algorithms more sophisticated, the scan engine has the ability to look deeper into the data for embedded malware. As a result, it can uncover more layers of compressed data.

The AV engine scans each layer before unpacking, i.e. moving to, the next layer, until it
(a) reaches the decompress limit  
If the “Exceeds Decompression Layer” limit option is set to Permit, then the firewall will pass the file through with the initial layers scanned (depending on the platform).
(b) finds a virus or other malware, OR
(c) decompresses and scans the data completely.

5.  Question:  Am I less secure because of the limitations listed in the Step 2 table?
     
or  What should an AV gateway devices role in be in my security infrastructure?
Answer:  If customers utilize a properly layered security approach, security should not be compromised. Juniper highly recommends that customers architect their security infrastructure to be holistic and layered. In addition to enabling AV on the firewall, it is suggested that it also be enabled on email servers, web servers, client PCs, etc. No one device in a network can secure the entire network. Do not be lulled into a false sense of security when only a gateway AV device is in place.

A gateway AV device (such as the Juniper Firewall with AV) plays the role of first defense in a properly layered security infrastructure. It will catch many of the viruses, but due to limitations imposed by a gateway device’s dual role, it will not catch 100% of them. As such, gateway AV should be considered an augmentation to your total security solution.

6.  Question:  What is the difference between the 'Standard' and 'Extended' database?
Answer:  Refer to the following table.

Standard            

Extended                                                      

Size

Size depends on platform memory allocated to it:
Up to 10 MB (SSG 5, 20, 140)
Up to 15 MB (SSG 320, 350, 520, 550)
34 MB (has exceeded the memory space
allocated for AV database on all SSGs;
cannot be accommodated by SSGs anymore)

Number of Signatures

~260,000 (SSG 5, 20, 140)
~465,000 (SSG 320, 350, 520, 550) 

1.28 million

Type of Content

· important/widespread signatures
· unpackers/extractors, engine code, etc
· current/latest signatures (fill database with these signatures until our memory limits have been reached)

· important/widespread signatures
· unpackers/extractors, engine code, etc
· current/latest signatures
Detection Rate Varies based on age of malware
· For most recent malware (30-60 days), the detection rate is 95%-98%
· For older viruses going back to beginning of 2007 (two years old), the detection rate is 55%-65%
99%-100%

7.  Question:  Where can I get further assistance to properly leverage the Juniper Firewall AV solution in my network?
Answer:  Many of Juniper’s Value Added Resellers are well trained in network security concepts and would be more than happy to assist customers with designing their security architecture.

References:
Concepts & Examples ScreenOS Reference Guide, Volume 4, Attack Detection and Defense Mechanisms:
http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v4.pdf

White Paper -- Comparison of Firewall, Intrusion Prevention and Antivirus Technologies:
http://www.juniper.net/solutions/literature/white_papers/200063.pdf

Juniper Networks ScreenOS Release Notes:
http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/rn_600_r5.pdf
http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/#RN

Juniper Network Books:
http://www.juniper.net/training/jnbooks/

ScreenOS Cookbook:
http://www.juniper.net/training/jnbooks/screenos_ckbk.html
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search